The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has warned government agencies to patch an actively exploited vulnerability impacting WatchGuard Firebox firewalls.
Remote attackers can use this critical security flaw (CVE-2025-9242) to execute malicious code remotely on vulnerable devices by exploiting an out-of-bounds write weakness in firewalls running Fireware OS 11.x (end of life), 12.x, and 2025.1.
CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and has given Federal Civilian Executive Branch (FCEB) agencies three weeks, until December 3, to secure their systems against ongoing attacks as mandated by the Binding Operational Directive (BOD) 22-01.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” the cybersecurity agency said.
“Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”
While WatchGuard released security patches to address the vulnerability on September 17, the company only tagged it as exploited in attacks almost one month later, on October 21.
One day earlier, on October 20, Internet watchdog Shadowserver revealed that it was tracking over 75,000 vulnerable Firebox appliances worldwide. This number has fallen to just over 54,000, according to Shadowserver’s latest statistics, most of them located in Europe and North America.
Although CISA’s order only applies to federal agencies, all organizations are advised to prioritize patching this vulnerability as soon as possible since firewalls are an attractive target for threat actors.
For instance, the Akira ransomware gang has been actively exploiting CVE-2024-40766, a year-old critical-severity vulnerability, to hack into SonicWall firewalls since September 2024.
Two years ago, in April 2022, the Cybersecurity and Infrastructure Security Agency (CISA) also ordered federal civilian agencies to patch an actively exploited bug impacting WatchGuard Firebox and XTM firewall appliances.
WatchGuard collaborates with over 17,000 security resellers and service providers to protect the networks of more than 250,000 small and mid-sized companies worldwide.
On Wednesday, CISA also ordered federal agencies to patch a Windows Kernel vulnerability (CVE-2025-62215) that was exploited in zero-day attacks, which allows a local attacker with low-level privileges to gain SYSTEM-level access.
It’s budget season! Over 300 CISOs and security leaders have shared how they’re planning, spending, and prioritizing for the year ahead. This report compiles their insights, allowing readers to benchmark strategies, identify emerging trends, and compare their priorities as they head into 2026.
Learn how top leaders are turning investment into measurable impact.