MEDIUM: Vulnerable ISAKMP Report

DESCRIPTION LAST UPDATED: 2025-12-21

DEFAULT SEVERITY LEVEL: MEDIUM

This report identifies hosts that have a vulnerable IKE service accessible on the Internet.

We added scanning for WatchGuard Firebox iked Out of Bounds Write Vulnerability CVE-2025-14733. This is a version based scan. Tagged as cve-2025-14733. This vulnerability is exploited in the wild and on the CISA KEV list. Tagging added 2025-12-19. The severity of these events was set to CRITICAL. Please follow the WatchGuard advisory for patch/remediation advice. You can track CVE-2025-14733 on our Dashboard.
We added scanning for WatchGuard Fireware OS IKEv2 Out-of-Bounds Write CVE-2025-9242 which is version based (thank you watchTowr). This is tagged as cve-2025-9242. Tagging added 2025-10-16. The severity of these events was set to CRITICAL. Patch info from WatchGuard: https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00015
The report also shares SoftEther VPN port 4500/UDP instances that can be abused for UDP amplification/reflection attacks. See: https://github.com/SoftEtherVPN/SoftEtherVPN/security/advisories/GHSA-j35p-p8pj-vqxq These are tagged softether.

You can track currently vulnerable ISAKMP services on our Dashboard.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page.

Filename(s): scan_isakmp, scan6_isakmp

Fields

timestamp

Time that the IP was probed in UTC+0
severity

Severity level
ip

The IP address of the device in question
protocol

Protocol that the response came on (always UDP)
port

Port that the response came from (4500/UDP, 500/UDP etc)
hostname

Reverse DNS name of the device in question
tag

Will be isakmp-vulnerable with additional tags for specific issue being reported, like softether or CVE assignments
asn

ASN of where the device in question resides
geo

Country where the device in question resides
region

State / Province / Administrative region where the device in question resides
city

City in which the device in question resides
naics

North American Industry Classification System Code
hostname_source

Hostname source
initiator_spi

Initiator's SPI of the IKE_SA
responder_spi

Responder's SPI of the IKE_SA
next_payload

"Is there payload data present?" This will be "11" for "Payload Follows"
version

IKE version, will be "10" (maps to version 1.0)
exchange_type

The IKE Exchange Type: this will be "5" meaning "informational"
flags

ISAKMP flags: this will be "0"
message_id

The Message ID, which is "0"
next_payload2

This is the same thing as the "next_payload" field, but buried in the payload that the original "next_payload" is referring to; it will be "0" for "none"
domain_of_interpretation

This will be "0" for ISAKMP
protocol_id

This will be "0" for "reserved"
spi_size

This will be "0"
notify_message_type

This will be "14" which maps to "no proposal chosen"
sector

Sector of IP in question

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","sector","initiator_spi","responder_spi","next_payload","exchange_type","flags","message_id","next_payload2","domain_of_interpretation","protocol_id","spi_size","notify_message_type","response_size","amplification"
"2010-02-10 00:00:00",medium,192.168.0.1,udp,4500,node01.example.com,vulnerable-isakmp;softether,64512,ZZ,Region,City,0,ptr,,3e35c70729dfedef,02b265747fa634cf,11,05,00,5007574e,00,00,,0,14,,
"2010-02-10 00:00:01",medium,192.168.0.2,udp,500,node02.example.com,vulnerable-isakmp,64512,ZZ,Region,City,0,ptr,,3e35c70729dfedef,b27ac8e14a864a95,11,05,00,00000000,00,00,,16,14,,
"2010-02-10 00:00:02",medium,192.168.0.3,udp,500,node03.example.com,vulnerable-isakmp,64512,ZZ,Region,City,0,ptr,,3e35c70729dfedef,d42ad656da698a20,1,02,00,00000000,0d,00,,0,1,,

Our 140 Report Types

« Back to Network Reporting