- WatchGuard patched a critical VPN vulnerability allowing remote code execution on Firebox firewalls
- CVE-2025-9242 affects dynamic gateway peer configurations, even after removal in some cases
- No exploitation seen yet, but delayed patching leaves systems exposed to future targeted attacks
WatchGuard has fixed a critical-severity vulnerability affecting its Firebox firewalls and is urging users to apply the newly released patch without hesitation.
In a security advisory, the company said it addressed an out-of-bounds write vulnerability in the WatchGuard Fireware OS iked process, which “may allow a remote unauthenticated attacker to execute arbitrary code”.
The vulnerability was said to affect both the mobile user VPN with IKEv2, and the branch office VPN using IKEv2, when configured with a dynamic gateway peer. Furthermore, if the Firebox was previously configured with the mobile user VPN with IKEv2 or a branch office VPN using IKEv2 to a dynamic gateway peer, and both configurations were subsequently removed, the Firebox may still be vulnerable “if a branch office VPN to a static gateway peer is still configured”.
Workaround
The vulnerability is now tracked as CVE-2025-9242, and was given a severity score of 9.2/10 (critical). It affects firewalls running Fireware OS 11.x (end of life), 12.x, and 2025.1. The first clean version is 12.3.1_Update3 (B722811), 12.5.13, 12.11.4, and 2025.1.1.
Those who are unable to apply the fix immediately can deploy a workaround that includes disabling dynamic peer BOVPNs, adding new firewall policies, and disabling the default system policies that handle VPN traffic.
So far, there has been no evidence of abuse in the wild.
However, many criminals only start hunting for vulnerabilities after a patch is released, knowing that organizations rarely patch on time and often keep their systems exposed for longer periods of time.
For example, in early 2025, threat actors exploited a Fortinet FortiGate vulnerability, tracked as CVE-2022-42475, more than a year after its disclosure.
Despite available patches, many devices remained exposed, while attackers used symbolic links to maintain stealthy access, extract credentials, and configuration data.
Via BleepingComputer
