Worrying WatchGuard VPN bug could let hackers hijack your devices - here's how to stay safe

News
By published

A WatchGuard VPN patch is already available

Best free Linux firewalls
Image credit: Pixabay (Image credit: Pixabay)
  • CVE-2025-9242 allows unauthenticated remote code execution on WatchGuard Fireware devices
  • Vulnerability affects VPN configurations using IKEv2 with dynamic gateway peers
  • Businesses should patch affected versions and restrict internet access to essential devices only

WatchGuard Fireware, the operating system powering much of WatchGuard’s software, carried a critical severity vulnerability that allowed threat actors to execute arbitrary code remotely and essentially take over compromised devices, the company has warned.

The vulnerability is tracked as CVE-2025-9242, and was given a severity score of 9.3/10 (critical). It is described as an out-of-bounds write vulnerability that allows unauthenticated entities to execute arbitrary code.

"This vulnerability affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer,” WatchGuard explained in a recent security advisory.

Music to ransomware gangs' ears

Versions 11.10.2 to 11.12.4_Update 1 were said to be affected, as well as versions 12.0 - 12.11.3 and 2025.1. FireGuard released patches, addressing the flaw in these versions:

2025.1 - Fixed in 2025.1.1
12.x - Fixed in 12.11.4
12.3.1 (FIPS-certified release) - Fixed in 12.3.1_Update3 (B722811)
12.5.x (T15 & T35 models) - Fixed in 12.5.13)
11.x - Reached end-of-life

In their analysis of the flaw, security researchers watchTowr described it as having “all the characteristics your friendly neighborhood ransomware gangs love to see” - it was found in an internet-connected device, can be exploited without authentication, and allows for remote malicious code execution.

Ransomware operators love targeting firewalls and routers since these serve as gateways for most internet traffic on a network.

They also focus on file servers and domain controllers, since encrypting them disrupts many users, as well as remote-access services like RDP, VPN gateways and exposed management ports of firewalls, backups, cloud storage and accounts, and network-attached storage (NAS).

To remain secure, businesses should limit internet access to only essential devices, keeping all others on the local network. They should also make sure all the software and hardware is updated, and that their employees are aware of the latest phishing and social engineering techniques.

Via The Hacker News

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.