WatchGuard has released security updates to address a remote code execution vulnerability impacting the company’s Firebox firewalls.
Tracked as CVE-2025-9242, this critical security flaw is caused by an out-of-bounds write weakness that can allow attackers to execute malicious code remotely on vulnerable devices following successful exploitation.
CVE-2025-9242 affects firewalls running Fireware OS 11.x (end of life), 12.x, and 2025.1, and was fixed in versions 12.3.1_Update3 (B722811), 12.5.13, 12.11.4, and 2025.1.1.
While Firebox firewalls are only vulnerable to attacks if they are configured to use IKEv2 VPN, WatchGuard added that they may still be at risk of compromise, even if the vulnerable configurations have been deleted, if a branch office VPN to a static gateway peer is still configured.
“An Out-of-bounds Write vulnerability in the WatchGuard Fireware OS iked process may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer,” the company warned in a Wednesday advisory.
“If the Firebox was previously configured with the mobile user VPN with IKEv2 or a branch office VPN using IKEv2 to a dynamic gateway peer, and both of those configurations have since been deleted, that Firebox may still be vulnerable if a branch office VPN to a static gateway peer is still configured.”
| Product branch | Vulnerable firewalls |
|---|---|
| Fireware OS 12.5.x | T15, T35 |
| Fireware OS 12.x | T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV |
| Fireware OS 2025.1.x | T115-W, T125, T125-W, T145, T145-W, T185 |
WatchGuard also provides a temporary workaround for administrators who can’t immediately patch devices running vulnerable software configured with Branch Office VPN (BOVPN) tunnels to static gateway peers.
This requires them to disable dynamic peer BOVPNs, add new firewall policies, and disable the default system policies that handle VPN traffic, as outlined in this support document, which provides detailed instructions on how to secure access to BOVPNs that use IPSec and IKEv2.
While this critical vulnerability is not yet being exploited in the wild, admins are still advised to patch their WatchGuard Firebox devices, as threat actors consider firewalls an attractive target. For instance, the Akira ransomware gang is actively exploiting CVE-2024-40766, a year-old critical-severity vulnerability, to compromise SonicWall firewalls.
Two years ago, in April 2022, the Cybersecurity and Infrastructure Security Agency (CISA) also ordered federal civilian agencies to patch an actively exploited bug impacting WatchGuard Firebox and XTM firewall appliances.
WatchGuard collaborates with over 17,000 security resellers and service providers to protect the networks of more than 250,000 small and mid-sized companies worldwide,
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.