WatchGuard Issues Critical Firewall Vulnerability Alert
▼ Summary
– WatchGuard has released security updates to address a critical remote code execution vulnerability (CVE-2025-9242) in its Firebox firewalls.
– The flaw is an out-of-bounds write weakness in the iked process that allows unauthenticated attackers to execute arbitrary code remotely.
– It affects Fireware OS versions 11.x, 12.x, and 2025.1, with fixes available in specific updated releases.
– Devices are vulnerable if configured for IKEv2 VPN, including cases where previous vulnerable configurations were deleted but a static gateway peer BOVPN remains.
– A temporary workaround is provided for administrators unable to patch immediately, and while not yet exploited, patching is strongly advised due to firewall targeting by threat actors.
WatchGuard has issued an urgent security alert concerning a critical remote code execution vulnerability impacting its Firebox firewalls. The flaw, identified as CVE-2025-9242, stems from an out-of-bounds write weakness in the Fireware OS. This vulnerability enables unauthenticated attackers to remotely execute arbitrary code on affected devices, posing a severe risk to organizational security.
The issue specifically affects firewalls running Fireware OS versions 11.x (now end-of-life), 12.x, and 2025.1. Patches have been released in versions 12.3.1_Update3 (B722811), 12.5.13, 12.11.4, and 2025.1.1. It is important to note that devices are only vulnerable if configured to use IKEv2 VPN. However, WatchGuard warns that even if vulnerable configurations have been removed, systems may remain at risk if a branch office VPN to a static gateway peer is still active.
According to the company’s advisory, the vulnerability resides in the iked process and impacts both mobile user VPN with IKEv2 and branch office VPN using IKEv2 when configured with a dynamic gateway peer. Even if these configurations were deleted at a later time, the presence of a static gateway peer setup could leave the firewall exposed.
A wide range of WatchGuard models are affected, including T-series, M-series, Firebox Cloud, Firebox NV5, and FireboxV devices running the vulnerable Fireware OS branches. Administrators unable to apply patches immediately can implement a temporary workaround. This involves disabling dynamic peer BOVPNs, adding new firewall policies, and turning off default system policies that manage VPN traffic. Detailed instructions are available through WatchGuard’s support documentation.
Although there are no current reports of active exploitation, administrators are strongly urged to apply updates without delay. Firewalls are often targeted by threat actors due to their critical role in network defense. For example, the Akira ransomware group has been leveraging CVE-2024-40766, a year-old SonicWall vulnerability, in recent attacks. In April 2022, CISA also mandated federal agencies to patch a different WatchGuard firewall flaw that was under active exploitation at the time.
WatchGuard provides security solutions to more than 250,000 small and mid-sized businesses globally through a network of over 17,000 resellers and service providers. Taking prompt action to mitigate this vulnerability is essential for maintaining network integrity and preventing potential breaches.
(Source: Bleeping Computer)
