Executive Summary

On November 12, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) updated its Known Exploited Vulnerabilities (KEV) catalog, adding three vulnerabilities that are confirmed to be under active exploitation by threat actors. The advisory mandates that Federal Civilian Executive Branch (FCEB) agencies patch these flaws to protect federal networks. The newly added vulnerabilities affect widely used products from Microsoft, WatchGuard, and Gladinet, posing a significant risk to organizations globally. The flaws include an out-of-bounds write in WatchGuard Firebox appliances (CVE-2025-9242) and an access control bypass in Gladinet Triofox (CVE-2025-12480). CISA's alert serves as a critical warning for all organizations to prioritize patching these vulnerabilities immediately.

Vulnerability Details

The advisory highlights three distinct vulnerabilities now confirmed as exploited in the wild:

1. CVE-2025-9242 - WatchGuard Firebox Out-of-Bounds Write Vulnerability:

   • Product: WatchGuard Firebox network security appliances.
   • Description: This is an out-of-bounds write vulnerability. This class of flaw can typically be exploited to cause a denial-of-service condition or, in a worst-case scenario, achieve arbitrary code execution on the firewall itself. A compromise of a perimeter security appliance represents a critical breach.

2. CVE-2025-12480 - Gladinet Triofox Improper Access Control Vulnerability:

   • Product: Gladinet Triofox, a self-hosted file sharing and remote access solution.
   • Description: This flaw allows an unauthenticated attacker to bypass authentication mechanisms. According to Mandiant researchers who discovered it, this could lead to arbitrary payload execution, giving an attacker a foothold within the target network.

3. CVE-2025-62215 - Microsoft Windows Kernel Privilege Escalation Vulnerability:

   • Product: Microsoft Windows.
   • Description: An actively exploited zero-day that allows a local attacker to escalate privileges to SYSTEM level. (Covered in-depth in a separate advisory).

Exploitation Status

All three vulnerabilities are listed in the KEV catalog because CISA has reliable evidence of active exploitation. Threat actors are actively targeting these flaws in real-world attacks. Under Binding Operational Directive (BOD) 22-01, FCEB agencies must remediate these vulnerabilities by December 3, 2025. This deadline should be considered a strong recommendation for all public and private sector organizations.

Impact Assessment

• WatchGuard (CVE-2025-9242): A compromise of a perimeter firewall can lead to a complete loss of network integrity. Attackers could disable security policies, intercept traffic, or pivot into the internal network unimpeded.
• Gladinet (CVE-2025-12480): Exploitation allows an unauthenticated attacker to gain access to a self-hosted file server, potentially leading to sensitive data exfiltration or the deployment of ransomware on corporate data shares.

The active exploitation of these flaws demonstrates that threat actors are targeting both network edge devices and data access solutions to breach organizations.

Detection Methods

• Log Analysis: Monitor firewall logs from WatchGuard devices for any anomalous administrative activity or unexpected reboots which could indicate exploitation. For Triofox, monitor application logs for access attempts from unknown IP addresses that successfully bypass authentication.
• Network Monitoring: Look for unusual outbound connections from WatchGuard or Triofox servers to unknown destinations, which could be a sign of C2 communication or data exfiltration. Use D3FEND's Network Traffic Analysis.
• Vulnerability Scanning: Use vulnerability scanners with up-to-date plugins to identify all instances of vulnerable WatchGuard Firebox and Gladinet Triofox software in your environment.

Remediation Steps

1. Prioritize Patching: The primary directive from CISA is to apply the security updates provided by WatchGuard and Gladinet immediately. Given the KEV status, this should be treated as an emergency change.
2. Review Access Controls: For WatchGuard Firebox appliances, ensure the management interface is not exposed to the internet. For Triofox, review all publicly shared links and user permissions to limit exposure.
3. Threat Hunting: Assume breach. Proactively hunt for signs of compromise on any systems running the vulnerable software. Look for unusual processes, network connections, or newly created local user accounts on the affected servers.