Practically 76,000 WatchGuard Firebox community security home equipment are uncovered on the general public internet and nonetheless susceptible to a important subject (CVE-2025-9242) that might permit a distant attacker to execute code with out authentication.
Firebox gadgets act as a central protection hub that controls visitors between inside and exterior networks, offering safety by way of coverage administration, security companies, VPN, and real-time real-time visibility by way of WatchGuard Cloud.
Scans from The Shadowserver Basis at the moment present that there are 75,835 susceptible Firebox home equipment internationally, most of them in Europe and North America.
Particularly, the USA tops the record with 24,500 endpoints, adopted by Germany (7,300), Italy (6,800), United Kingdom (5,400), Canada (4,100), and France (2,000).
Supply: The Shadowserver Basis
WatchGuard disclosed CVE-2025-9242 in a security bulletin on September 17 and rated the vulnerability with a critical-severity rating of 9.3. The security drawback is an out-of-bounds write within the Fireware OS ‘iked’ course of, which handles IKEv2 VPN negotiations.
The flaw might be exploited with out authentication by sending specifically crafted IKEv2 packets to susceptible Firebox endpoints, forcing it to write down information to unintended reminiscence areas.
It solely impacts Firebox home equipment that use IKEv2 VPNs with dynamic gateway friends, on variations 11.10.2 by way of 11.12.4_Update1, 12.0 by way of 12.11.3, and 2025.1
The seller recommended an improve to one of many following variations:
- 2025.1.1
- 12.11.4
- 12.5.13
- 12.3.1_Update3 (B722811)
Customers ought to know that model 11.x has reached finish of assist and won’t obtain security updates. The advice for them is to maneuver to a model that’s nonetheless supported.
For gadgets arrange solely with Department Workplace VPNs to static gateway friends, the seller factors to the documentation for securing the connection utilizing the IPSec and IKEv2 protocols as a brief workaround.
On October 19, The Shadowserver Basis detected 75,955 susceptible Firebox firewalls. A spokesperson informed BleepingComputer that the present scan is taken into account dependable, and the figures replicate actual deployments and never honeypots, but.
Though no energetic exploitation of CVE-2025-9242 has been reported but, directors who haven’t utilized the security updates are strongly suggested to put in the patch as quickly as attainable.
46% of environments had passwords cracked, practically doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and information exfiltration traits.
