WatchGuard released an advisory detailing a critical vulnerability in its Firebox line of network security appliances.
Tracked as CVE-2025-9242, the flaw resides in the iked component of WatchGuard’s Fireware OS.
An out-of-bounds write in the IKEv2 handling routine can allow a remote, unauthenticated attacker to execute arbitrary code on affected devices.
Overview of the Vulnerability
This vulnerability affects a broad range of Fireware OS versions, including 11.10.2 through 11.12.4_Update1, the entire 12.0 series up to 12.11.3, and the 2025.1 release.
Both mobile user VPN (IKEv2) and branch office VPN (IKEv2) configurations are potentially vulnerable when dynamic gateway peers were once in use.
| CVE | Impact | CVSS Score |
| CVE-2025-9242 | Critical | 9.3 |
Even if those configurations have since been deleted, a still-active static gateway VPN tunnel can sustain the risk.
Due to the widespread use of Firebox appliances in enterprise and small business environments, the potential impact is significant. WatchGuard rates the flaw as Critical, with a CVSS 4.0 base score of 9.3.
The vector indicates network attack complexity is low, no privileges are required, and no user interaction is necessary, making exploitation straightforward for an attacker who can reach the device’s WAN interface.
WatchGuard issued firmware updates to resolve the vulnerability. Administrators should upgrade to versions 2025.1.1, 12.11.4, 12.5.13, 12.3.1_Update3, or later, depending on their Firebox model. The following table summarizes the key advisory details for quick reference:
Administrators can verify their Fireware OS version from the Firebox System Manager or the WatchGuard Cloud interface.
If the device reports a version at or below the vulnerable release, an immediate firmware upgrade is advised. Full upgrade paths and downloads are available on WatchGuard’s customer support portal.
Workarounds and Mitigations
For environments where an immediate upgrade is not feasible, WatchGuard recommends applying a temporary workaround by securing access to branch office VPN tunnels.
The vendor’s knowledge base article on “Secure Access to Branch Office VPNs that Use IPSec and IKEv2” outlines steps to limit exposure until devices can be updated.
Network segmentation and firewall rules can also reduce risk. Administrators should restrict incoming IKEv2 traffic to known peer IP addresses and apply access control lists that limit exposure of the VPN port on the public interface.
WatchGuard credits researcher “btaol” for responsibly disclosing this issue. Affected product list includes:
- Firebox T15, T35 running Fireware OS 12.5.x
- Firebox T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV on Fireware OS 12.x
- Firebox T115-W, T125, T125-W, T145, T145-W, T185 on Fireware OS 2025.1.x
By following the recommended updates and network hardening steps, organizations can ensure their WatchGuard deployments remain protected against this critical vulnerability.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
