A critical vulnerability in WatchGuard’s Firebox network security appliances could allow a remote, unauthenticated attacker to execute arbitrary code, compromising corporate networks.
The flaw, tracked as CVE-2025-9242, exists in the component that handles IKEv2 VPN connections and has been assigned a critical severity score of 9.3 out of 10.0.
The vulnerability is an out-of-bounds write issue within the Fireware operating system’s iked process, which manages IKEv2 key exchanges for VPNs.
Attackers can exploit this flaw by sending a specially crafted packet to an affected device, triggering a stack-based buffer overflow. Security researchers have noted that this type of vulnerability is surprisingly common in modern enterprise-grade appliances, which often lack basic exploit mitigations like stack canaries.
Because the flaw is reachable before any authentication takes place, it poses a significant risk to the large number of organizations that rely on these devices for perimeter security .
Affected Systems and Configurations
According to a WatchGuard advisory report, the vulnerability impacts numerous versions of its Fireware OS, including 11.x, 12.x, and 2025.1. Specifically, devices are at risk if they are configured to use a mobile user VPN with IKEv2 or a branch office VPN that connects to a dynamic gateway peer.
The advisory warns that a device may remain vulnerable even if these configurations have been deleted, as long as a branch office VPN to a static gateway peer is still active.
- Fireware OS 11.10.2 through 11.12.4_Update1
- Fireware OS 12.0 through 12.11.3
- Fireware OS 2025.1
The vulnerability affects a wide range of Firebox models, from small office devices like the T15 to larger enterprise units such as the M5800, as well as Firebox virtual appliances.
With WatchGuard stating it protects over 250,000 businesses and 10 million endpoints, the potential attack surface is substantial.
Security researchers were also able to develop a reliable method to fingerprint the exact Fireware OS version of a device with a single UDP packet, making it easier for attackers to identify vulnerable targets.
Patches and Mitigation Available
WatchGuard has released security updates to address the vulnerability and urges customers to upgrade their systems immediately.
Patched versions include Fireware OS 2025.1.1, 12.11.4, 12.5.13, and 12.3.1_Update3. The company credited a researcher named “btaol” for discovering and reporting the flaw.
- Upgrade to Fireware OS 2025.1.1 for 2025.1 series.
- Upgrade to Fireware OS 12.11.4 for 12.x series.
- Upgrade to Fireware OS 12.5.13 for T15 & T35 models.
- Upgrade to Fireware OS 12.3.1_Update3 for FIPS-certified release.
For organizations unable to apply the patches right away, WatchGuard has provided a temporary workaround. Administrators can secure their branch office VPNs by following the company’s best-practice recommendations for IPSec and IKEv2 configurations.
Given the critical nature of this pre-authentication remote code execution vulnerability on a perimeter security device, administrators are strongly advised to prioritize patching to prevent potential exploitation by threat actors, including ransomware groups.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
