The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability affecting WatchGuard Firebox firewalls to its Known Exploited Vulnerabilities (KEV) catalog, warning of active exploitation in the wild.
The flaw, tracked as CVE-2025-9242, poses severe risks to organizations relying on these devices for network security.
The Vulnerability
WatchGuard Firebox firewalls contain an out-of-bounds write vulnerability in the OS iked process that allows remote, unauthenticated attackers to execute arbitrary code.
This vulnerability, classified under CWE-787 (Out-of-bounds Write), represents a critical security flaw that can be exploited without requiring authentication or user interaction.
The out-of-bounds write condition enables attackers to write data beyond intended memory boundaries, potentially corrupting critical processes and granting them complete control of the affected firewall.
Given firewalls’ strategic position in network architecture, this vulnerability could allow attackers to pivot deeper into organizational networks, access sensitive data, or disrupt critical operations.
CISA added this vulnerability to its KEV catalog on November 12, 2025, indicating confirmed exploitation by threat actors.
The agency has set a deadline of December 3, 2025 —just three weeks after the initial warning — for organizations to address the flaw. This aggressive timeline reflects the severity of the threat and active exploitation in the threat landscape.
Recommended Actions
CISA has provided clear guidance for affected organizations. The primary recommendation is to apply the mitigations per WatchGuard’s vendor instructions immediately.
Organizations should prioritize patching Firebox devices as soon as updates become available.
For cloud-based services utilizing WatchGuard Firebox devices, organizations must follow the requirements outlined in BOD 22-01, which mandates specific cybersecurity practices for federal information systems.
For organizations unable to deploy patches or workarounds, CISA recommends discontinuing use of the affected products until mitigations are available.
The active exploitation of this vulnerability underscores a concerning trend: remote code execution flaws in critical network infrastructure remain attractive targets for threat actors.
While ransomware campaigns using this specific vulnerability have not been confirmed, organizations should not assume their systems are safe.
Sophisticated threat actors often keep exploitation techniques private to maximize their advantage before public disclosure.
Organizations operating WatchGuard Firebox firewalls should immediately take the following actions: identify all affected devices within their network, check WatchGuard’s advisory pages for available patches and temporary mitigations, and develop an expedited patching schedule to meet CISA’s December 3 deadline.
Network administrators should also review firewall logs for suspicious activity and implement additional monitoring for signs of compromise.
Given the critical nature of firewalls in network defense, prioritizing remediation of CVE-2025-9242 is essential to preventing potential breaches and maintaining organizational security posture.
The active exploitation threat combined with CISA’s warning makes immediate action non-negotiable for security-conscious organizations.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and set GBH as a Preferred Source in Google.