CISA: Hackers Actively Exploiting WatchGuard Firewall Flaw
▼ Summary
– CISA has warned government agencies to patch an actively exploited vulnerability (CVE-2025-9242) in WatchGuard Firebox firewalls that allows remote code execution.
– The vulnerability affects Fireware OS 11.x, 12.x, and 2025.1, and CISA has given federal agencies three weeks until December 3 to secure their systems.
– WatchGuard released patches on September 17 but only confirmed active exploitation on October 21, while Shadowserver reported over 54,000 vulnerable devices remain globally.
– Although the mandate applies to federal agencies, all organizations are urged to patch immediately as firewalls are attractive targets for threat actors like ransomware gangs.
– CISA also ordered agencies to patch a separate Windows Kernel vulnerability (CVE-2025-62215) that was exploited in zero-day attacks to gain SYSTEM-level access.
A critical security flaw in WatchGuard Firebox firewalls is now under active exploitation, prompting an urgent directive from the U.S. Cybersecurity and Infrastructure Security Agency. Federal agencies have been instructed to apply patches immediately to prevent remote attackers from executing malicious code on vulnerable systems. This vulnerability, identified as CVE-2025-9242, stems from an out-of-bounds write weakness in Fireware OS versions 11.x, 12.x, and 2025.1, posing a severe risk to network security.
CISA has officially listed the flaw in its Known Exploited Vulnerabilities catalog, mandating that Federal Civilian Executive Branch agencies implement mitigations within three weeks. The deadline for compliance is set for December 3, in accordance with Binding Operational Directive 22-01. According to the agency, such vulnerabilities are commonly leveraged by malicious actors and represent a substantial threat to federal operations. Organizations have been advised to follow vendor-provided remediation steps, adhere to BOD 22-01 guidelines for cloud services, or cease using the product if no fixes are available.
Although WatchGuard released security patches on September 17, the company did not confirm active exploitation until October 21. Just one day prior, the Shadowserver Foundation reported observing more than 75,000 vulnerable Firebox appliances globally. Recent statistics indicate this figure has dropped to approximately 54,000, with the majority situated in Europe and North America.
While the CISA directive specifically targets federal bodies, all organizations using WatchGuard firewalls are strongly encouraged to prioritize patching. Firewalls remain a high-value target for cybercriminals, as demonstrated by recent campaigns. For example, the Akira ransomware group has been exploiting CVE-2024-40766, a critical vulnerability in SonicWall firewalls, since September 2024. This is not the first time WatchGuard products have faced such scrutiny; in April 2022, CISA similarly ordered agencies to address another actively exploited bug in Firebox and XTM firewall appliances.
WatchGuard works with more than 17,000 security partners to safeguard networks for over 250,000 small and medium-sized businesses worldwide. In a related development, CISA also issued a separate order this week for federal agencies to patch a Windows Kernel vulnerability, CVE-2025-62215, which was exploited as a zero-day and allows local attackers to escalate privileges to SYSTEM level.
(Source: Bleeping Computer)
