WatchGuard has launched security updates to deal with a distant code execution vulnerability impacting the corporate’s Firebox firewalls.
Tracked as CVE-2025-9242, this important security flaw is attributable to an out-of-bounds write weak point that may permit attackers to execute malicious code remotely on susceptible gadgets following profitable exploitation.
CVE-2025-9242 impacts firewalls operating Fireware OS 11.x (finish of life), 12.x, and 2025.1, and was mounted in variations 12.3.1_Update3 (B722811), 12.5.13, 12.11.4, and 2025.1.1.
Whereas Firebox firewalls are solely susceptible to assaults if they’re configured to make use of IKEv2 VPN, WatchGuard added that they might nonetheless be vulnerable to compromise, even when the susceptible configurations have been deleted, if a department workplace VPN to a static gateway peer continues to be configured.
“An Out-of-bounds Write vulnerability within the WatchGuard Fireware OS iked course of could permit a distant unauthenticated attacker to execute arbitrary code. This vulnerability impacts each the cell person VPN with IKEv2 and the department workplace VPN utilizing IKEv2 when configured with a dynamic gateway peer,” the corporate warned in a Wednesday advisory.
“If the Firebox was beforehand configured with the cell person VPN with IKEv2 or a department workplace VPN utilizing IKEv2 to a dynamic gateway peer, and each of these configurations have since been deleted, that Firebox should still be susceptible if a department workplace VPN to a static gateway peer continues to be configured.”
| Product department | Weak firewalls |
|---|---|
| Fireware OS 12.5.x | T15, T35 |
| Fireware OS 12.x | T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV |
| Fireware OS 2025.1.x | T115-W, T125, T125-W, T145, T145-W, T185 |
WatchGuard additionally supplies a brief workaround for directors who cannot instantly patch gadgets operating susceptible software program configured with Department Workplace VPN (BOVPN) tunnels to static gateway friends.
This requires them to disable dynamic peer BOVPNs, add new firewall insurance policies, and disable the default system insurance policies that deal with VPN site visitors, as outlined on this assist doc, which supplies detailed directions on the way to safe entry to BOVPNs that use IPSec and IKEv2.
Whereas this important vulnerability just isn’t but being exploited within the wild, admins are nonetheless suggested to patch their WatchGuard Firebox gadgets, as risk actors take into account firewalls a gorgeous goal. For example, the Akira ransomware gang is actively exploiting CVE-2024-40766, a year-old critical-severity vulnerability, to compromise SonicWall firewalls.
Two years in the past, in April 2022, the Cybersecurity and Infrastructure Safety Company (CISA) additionally ordered federal civilian companies to patch an actively exploited bug impacting WatchGuard Firebox and XTM firewall home equipment.
WatchGuard collaborates with over 17,000 security resellers and repair suppliers to guard the networks of greater than 250,000 small and mid-sized corporations worldwide.
46% of environments had passwords cracked, almost doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and information exfiltration developments.
