WatchGuard has launched safety updates to deal with a distant code execution vulnerability impacting the corporate’s Firebox firewalls.
Tracked as CVE-2025-9242, this crucial safety flaw is brought on by an out-of-bounds write weak spot that may permit attackers to execute malicious code remotely on weak units following profitable exploitation.
CVE-2025-9242 impacts firewalls working Fireware OS 11.x (finish of life), 12.x, and 2025.1, and was mounted in variations 12.3.1_Update3 (B722811), 12.5.13, 12.11.4, and 2025.1.1.
Whereas Firebox firewalls are solely weak to assaults if they’re configured to make use of IKEv2 VPN, WatchGuard added that they might nonetheless be susceptible to compromise, even when the weak configurations have been deleted, if a department workplace VPN to a static gateway peer continues to be configured.
“An Out-of-bounds Write vulnerability within the WatchGuard Fireware OS iked course of could permit a distant unauthenticated attacker to execute arbitrary code. This vulnerability impacts each the cellular person VPN with IKEv2 and the department workplace VPN utilizing IKEv2 when configured with a dynamic gateway peer,” the corporate warned in a Wednesday advisory.
“If the Firebox was beforehand configured with the cellular person VPN with IKEv2 or a department workplace VPN utilizing IKEv2 to a dynamic gateway peer, and each of these configurations have since been deleted, that Firebox should be weak if a department workplace VPN to a static gateway peer continues to be configured.”
| Product department | Weak firewalls |
|---|---|
| Fireware OS 12.5.x | T15, T35 |
| Fireware OS 12.x | T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV |
| Fireware OS 2025.1.x | T115-W, T125, T125-W, T145, T145-W, T185 |
WatchGuard additionally gives a short lived workaround for directors who cannot instantly patch units working weak software program configured with Department Workplace VPN (BOVPN) tunnels to static gateway friends.
This requires them to disable dynamic peer BOVPNs, add new firewall insurance policies, and disable the default system insurance policies that deal with VPN site visitors, as outlined in this help doc, which gives detailed directions on safe entry to BOVPNs that use IPSec and IKEv2.
Whereas this crucial vulnerability just isn’t but being exploited within the wild, admins are nonetheless suggested to patch their WatchGuard Firebox units, as risk actors think about firewalls a horny goal. For example, the Akira ransomware gang is actively exploiting CVE-2024-40766, a year-old critical-severity vulnerability, to compromise SonicWall firewalls.
Two years in the past, in April 2022, the Cybersecurity and Infrastructure Safety Company (CISA) additionally ordered federal civilian companies to patch an actively exploited bug impacting WatchGuard Firebox and XTM firewall home equipment.
WatchGuard collaborates with over 17,000 safety resellers and repair suppliers to guard the networks of greater than 250,000 small and mid-sized firms worldwide,
46% of environments had passwords cracked, practically doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and information exfiltration tendencies.
