MEDIUM: Vulnerable ISAKMP Report

DESCRIPTION LAST UPDATED: 2025-10-17

DEFAULT SEVERITY LEVEL: MEDIUM

This report identifies hosts that have a vulnerable IKE service accessible on the Internet.

We added scanning for WatchGuard Fireware OS IKEv2 Out-of-Bounds Write CVE-2025-9242 which is version based (thank you watchTowr). This is tagged as cve-2025-9242. Tagging was added 2025-10-16. The severity of these events was set to CRITICAL. Patch info from WatchGuard: https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00015

It also focuses on SoftEther VPN port 4500/UDP instances that can be abused for UDP amplification/reflection attacks.
See: https://github.com/SoftEtherVPN/SoftEtherVPN/security/advisories/GHSA-j35p-p8pj-vqxq

Above are tagged softether.

You can track currently vulnerable ISAKMP services on our Dashboard.

For more information on our scanning efforts, check out our Internet scanning summary page.

Filename(s): scan_isakmp

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that the response came on (always UDP)
  • port
    Port that the response came from (4500/UDP, 500/UDP etc)
  • hostname
    Reverse DNS name of the device in question
  • tag
    Will be isakmp-vulnerable with additional tags for specific issue being reported, like softether
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • initiator_spi
    Initiator's SPI of the IKE_SA
  • responder_spi
    Responder's SPI of the IKE_SA
  • next_payload
    "Is there payload data present?" This will be "11" for "Payload Follows"
  • version
    IKE version, will be "10" (maps to version 1.0)
  • exchange_type
    The IKE Exchange Type: this will be "5" meaning "informational"
  • flags
    ISAKMP flags: this will be "0"
  • message_id
    The Message ID, which is "0"
  • next_payload2
    This is the same thing as the "next_payload" field, but buried in the payload that the original "next_payload" is referring to; it will be "0" for "none"
  • domain_of_interpretation
    This will be "0" for ISAKMP
  • protocol_id
    This will be "0" for "reserved"
  • spi_size
    This will be "0"
  • notify_message_type
    This will be "14" which maps to "no proposal chosen"
  • sector
    Sector of IP in question

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","sector","initiator_spi","responder_spi","next_payload","exchange_type","flags","message_id","next_payload2","domain_of_interpretation","protocol_id","spi_size","notify_message_type","response_size","amplification"
"2010-02-10 00:00:00",medium,192.168.0.1,udp,4500,node01.example.com,vulnerable-isakmp;softether,64512,ZZ,Region,City,0,ptr,,3e35c70729dfedef,02b265747fa634cf,11,05,00,5007574e,00,00,,0,14,,
"2010-02-10 00:00:01",medium,192.168.0.2,udp,500,node02.example.com,vulnerable-isakmp,64512,ZZ,Region,City,0,ptr,,3e35c70729dfedef,b27ac8e14a864a95,11,05,00,00000000,00,00,,16,14,,
"2010-02-10 00:00:02",medium,192.168.0.3,udp,500,node03.example.com,vulnerable-isakmp,64512,ZZ,Region,City,0,ptr,,3e35c70729dfedef,d42ad656da698a20,1,02,00,00000000,0d,00,,0,1,,

Our 139 Report Types

« Back to Network Reporting