WatchGuard has issued urgent security updates to address a critical vulnerability, CVE-2025-9242, affecting its Firebox firewalls. This high-severity flaw could allow a remote, unauthenticated attacker to execute arbitrary code on vulnerable devices, potentially leading to complete system compromise. Given the severity and potential impact, organizations using WatchGuard Firebox firewalls are strongly advised to apply the necessary updates immediately.
Vulnerability Details
The vulnerability is an out-of-bounds write issue within the iked process of WatchGuard’s Fireware OS. The iked The process is responsible for handling the Internet Key Exchange (IKE) protocol, which is used to establish secure VPN connections. An out-of-bounds write occurs when a program attempts to write data beyond the allocated memory buffer, potentially overwriting adjacent memory regions and causing unpredictable behavior or code execution. This can happen when the software improperly handles certain inputs during IKE processing.
In this case, a remote, unauthenticated attacker can exploit this flaw by sending specially crafted data to a vulnerable device. Successful exploitation allows the attacker to execute arbitrary code, potentially gaining full control of the firewall. This could enable them to intercept network traffic, pivot to internal networks, or disrupt security operations.
The vulnerability has been assigned a CVSS score of 9.3 out of 10, reflecting its critical severity.
Impact & Exploit Potential
The impact of this vulnerability is severe. A successful exploit could allow an attacker to:
- Execute arbitrary code on the firewall.
- Completely compromise the firewall.
- Intercept network traffic.
- Pivot to internal networks.
- Disrupt security operations.
Given that firewalls are a critical security component at the network perimeter, a compromise can have far-reaching consequences for an organization’s security posture.
Affected Products
The vulnerability affects the following WatchGuard Firebox devices running specific versions of Fireware OS:
- Fireware OS 11.10.2 up to and including 11.12.4_Update1
- Fireware OS 12.0 up to and including 12.11.3
- Fireware OS 2025.1
- Firebox T15 and T35 models running Fireware OS 12.5.x
- T, M, and Firebox Cloud series that run Fireware OS 12.x and 2025.1.x
The vulnerability is primarily present when configured with specific VPN setups, such as mobile user VPN with IKEv2 and branch office VPN using IKEv2 with a dynamic gateway peer. Even if these configurations have been deleted, devices may still be at risk if a branch office VPN to a static gateway peer is active.
Mitigation & Recommendations
WatchGuard has released patched versions of Fireware OS to address CVE-2025-9242. Administrators are strongly urged to upgrade their devices to the appropriate resolved version as soon as possible.
The recommended versions are:
- 2025.1.1
- 12.11.4
- 12.5.13 (for T15 & T35 models)
- 12.3.1_Update3 (for the FIPS-certified release)
For organizations that cannot immediately apply the updates, a temporary workaround is available. This involves implementing WatchGuard’s security best practices for securing branch office VPNs that use IPSec and IKEv2, specifically when configured with static gateway peers. However, applying the official patches is the most effective way to fully mitigate the risk posed by this critical vulnerability.
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems, including Windows, Linux, and macOS, as well as over 550 third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.