A critical vulnerability has been discovered in WatchGuard’s Firebox firewalls, which could allow a remote, unauthenticated attacker to execute arbitrary code on affected devices.
The flaw, tracked as CVE-2025-9242, has been assigned a critical severity rating with a CVSS score of 9.3 out of 10. WatchGuard disclosed the issue in an advisory, WGSA-2025-00015, released on September 17, 2025, and has already provided patches to resolve the vulnerability.
The vulnerability is an out-of-bounds write issue within the iked process of WatchGuard’s Fireware OS. This process is responsible for handling Internet Key Exchange (IKE), a protocol used to set up secure VPN connections.
An attacker can exploit this flaw without needing any authentication, sending specially crafted data to a vulnerable device.
Successful exploitation allows the threat actor to execute arbitrary code, potentially leading to a complete compromise of the firewall, allowing them to intercept network traffic, pivot to internal networks, or disrupt security operations.
The critical nature of this flaw is reflected in its high CVSS 4.0 score, which indicates a high impact on confidentiality, integrity, and availability.
Affected Configurations and Versions
The vulnerability specifically affects Firebox devices running certain versions of Fireware OS when configured with specific VPN setups. The primary affected configurations are the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 with a dynamic gateway peer.
The advisory also warns of a specific edge case: a Firebox may remain vulnerable if it was previously configured with one of these vulnerable VPN types, even if those configurations have since been deleted, as long as a branch office VPN to a static gateway peer is still active.
The affected Fireware OS versions include 11.10.2 up to 11.12.4_Update1, versions 12.0 up to 12.11.3, and the recent 2025.1 release.
WatchGuard has released patched versions of Fireware OS to address CVE-2025-9242. Administrators are strongly urged to upgrade their devices to the appropriate resolved version as soon as possible.
The recommended versions are 2025.1.1, 12.11.4, 12.5.13 (for T15 & T35 models), and 12.3.1_Update3 for the FIPS-certified release. For organizations that cannot immediately apply the updates, a temporary workaround is available.
This involves implementing WatchGuard’s security best practices for securing branch office VPNs that use IPSec and IKEv2, specifically when configured with static gateway peers. However, applying the official patches is the most effective way to mitigate the risk posed by this critical vulnerability fully.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Source link
