WatchGuard warns users Firebox firewalls may have a critical issue - here's what we know

News
By published

A critical flaw was found in a popular WatchGuard firewall

Best free Linux firewalls
Image credit: Pixabay (Image credit: Pixabay)
  • WatchGuard patched a critical VPN vulnerability allowing remote code execution on Firebox firewalls
  • CVE-2025-9242 affects dynamic gateway peer configurations, even after removal in some cases
  • No exploitation seen yet, but delayed patching leaves systems exposed to future targeted attacks

WatchGuard has fixed a critical-severity vulnerability affecting its Firebox firewalls and is urging users to apply the newly released patch without hesitation.

In a security advisory, the company said it addressed an out-of-bounds write vulnerability in the WatchGuard Fireware OS iked process, which “may allow a remote unauthenticated attacker to execute arbitrary code”.

The vulnerability was said to affect both the mobile user VPN with IKEv2, and the branch office VPN using IKEv2, when configured with a dynamic gateway peer. Furthermore, if the Firebox was previously configured with the mobile user VPN with IKEv2 or a branch office VPN using IKEv2 to a dynamic gateway peer, and both configurations were subsequently removed, the Firebox may still be vulnerable “if a branch office VPN to a static gateway peer is still configured”.

Workaround

The vulnerability is now tracked as CVE-2025-9242, and was given a severity score of 9.2/10 (critical). It affects firewalls running Fireware OS 11.x (end of life), 12.x, and 2025.1. The first clean version is 12.3.1_Update3 (B722811), 12.5.13, 12.11.4, and 2025.1.1.

Those who are unable to apply the fix immediately can deploy a workaround that includes disabling dynamic peer BOVPNs, adding new firewall policies, and disabling the default system policies that handle VPN traffic.

So far, there has been no evidence of abuse in the wild.

However, many criminals only start hunting for vulnerabilities after a patch is released, knowing that organizations rarely patch on time and often keep their systems exposed for longer periods of time.

For example, in early 2025, threat actors exploited a Fortinet FortiGate vulnerability, tracked as CVE-2022-42475, more than a year after its disclosure.

Despite available patches, many devices remained exposed, while attackers used symbolic links to maintain stealthy access, extract credentials, and configuration data.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.