Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 WatchGuard IKEv2 Detection Scanner

🗓️ 10 Mar 2026 00:00:00Reported by indoushkaType 
packetstorm
 packetstorm🔗 packetstorm.news👁 99 Views

WatchGuard detection scanner probes IKE_SA_INIT on UDP 500 to detect CVE-2022-23176 by validating IKEv2 presence, version, exchange type, and anomalies.

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB		CVE-2022-23176
24 Feb 202200:00
attackerkb
BDU FSTEC		The vulnerability of Fireware operating systems in network security devices like WatchGuard Firebox and XTM, related to insecure privilege management, allows attackers to escalate their privileges.
25 Apr 202200:00
bdu_fstec
Circl		CVE-2022-23176
14 Apr 202217:10
circl
CISA KEV Catalog		WatchGuard Firebox and XTM Privilege Escalation Vulnerability
11 Apr 202200:00
cisa_kev
CNNVD		Watchguard WatchGuard Firebox 安全漏洞
24 Feb 202200:00
cnnvd
CVE		CVE-2022-23176
24 Feb 202200:52
cve
Cvelist		CVE-2022-23176
24 Feb 202200:52
cvelist
EUVD		EUVD-2022-28267
3 Oct 202520:07
euvd
Hive Pro Threat Advisories		Weekly Threat Digest: 4 – 10 April 2022
13 Apr 202206:34
hivepro
Hive Pro Threat Advisories		Sandworm Team using a new modular malware Cyclops Blink
7 Apr 202209:23
hivepro
Rows per page
=============================================================================================================================================
    | # Title     : WatchGuard IKE v2 Detection Scanner Metasploit Auxiliary Module                                                             |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
    | # Vendor    : https://www.watchguard.com/                                                                                                 |
    =============================================================================================================================================
    
    [+] Summary    : This module provides a non-exploit detection scanner for identifying systems potentially vulnerable to CVE-2022-23176 affecting IKEv2 services in products from WatchGuard Technologies.
                     The scanner sends a minimal IKE_SA_INIT probe over UDP (default port 500) and performs behavioral analysis of the response. It verifies:
    
    Presence of IKEv2 service
    
    Correct protocol version (0x20)
    
    Expected exchange type (IKE_SA_INIT)
    
    Abnormal response size patterns
    
    Indicators of irregular parsing behavior
    
    This module does not exploit the vulnerability. It performs safe, passive detection intended for defensive security assessments, exposure mapping, and threat intelligence enrichment.
    			  
    [+] POC   :  
    
    ##
    # WatchGuard IKEv2 CVE-2022-23176 Scanner
    # Non-exploit detection module
    ##
    
    class MetasploitModule < Msf::Auxiliary
      include Msf::Exploit::Remote::Udp
      include Msf::Auxiliary::Scanner
    
      def initialize(info = {})
        super(
          update_info(
            info,
            'Name'        => 'WatchGuard IKEv2 CVE-2022-23176 Scanner',
            'Description' => %q{
              This module checks for potential vulnerability to CVE-2022-23176
              in WatchGuard Fireware IKEv2 service by analyzing malformed
              IKE_SA_INIT responses.
            },
            'Author'      => [ 'indoushka' ],
            'License'     => MSF_LICENSE,
            'References'  => [
              [ 'CVE', '2022-23176' ]
            ],
            'DisclosureDate' => '2022-02-22'
          )
        )
    
        register_options(
          [
            Opt::RPORT(500),
            OptInt.new('TIMEOUT', [ true, 'UDP receive timeout', 5 ])
          ]
        )
      end
      def ike_header(ispi, rspi, next_payload, exchange, msg_id, flags = 0x08)
        length_placeholder = 0
        [ispi, rspi, next_payload, 0x20, exchange, flags, msg_id, length_placeholder].pack('Q>Q>CCCCII')
      end
      def build_probe
        ispi = Rex::Text.rand_text(8)
        ispi = ispi.unpack1('Q>')
        msg_id = 0
    
        hdr = ike_header(ispi, 0, 0, 34, msg_id)
        total_length = hdr.length
        hdr[24,4] = [total_length].pack('N')
        hdr
      end
      def run_host(ip)
        print_status("Checking #{ip}:#{rport}")
    
        connect_udp
    
        begin
          probe = build_probe
          udp_sock.put(probe)
    
          res = udp_sock.get_once(-1, datastore['TIMEOUT'])
    
          if res.nil?
            print_error("#{ip} - No response (service filtered or down)")
            return
          end
    
          if res.length < 28
            print_warning("#{ip} - Short IKE response detected")
            return
          end
    
          version = res[17].ord
          exchange = res[18].ord
    
          if version == 0x20 && exchange == 34
            print_good("#{ip} - IKEv2 detected")
    
            analyze_behavior(ip, res)
          else
            print_status("#{ip} - Non-IKEv2 service detected")
          end
    
        rescue ::Rex::ConnectionError
          print_error("#{ip} - Connection failed")
        ensure
          disconnect_udp
        end
      end
      def analyze_behavior(ip, response)
        if response.length > 400
          print_warning("#{ip} - Abnormally large IKE response (possible vulnerable parsing)")
        elsif response.include?("\x29")
          print_status("#{ip} - AUTH payload present")
        else
          print_status("#{ip} - Standard IKE behavior")
        end
      end
    end
    
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
10 Mar 2026 00:00Current
7.5High risk
Vulners AI Score7.5
CVSS 3.18.8
CVSS 29
EPSS0.10169
SSVC
WatchGuardInternet Key ExchangeCVE detectionScanner
99