WatchGuard disclosed a critical out-of-bounds write vulnerability (CVE-2025-9242, CVSS 9.3/10) in its Firebox firewalls, allowing remote, unauthenticated attackers to execute arbitrary code on affected devices. The flaw stems from the iked process in Fireware OS, impacting versions 11.10.2–11.12.4_Update1, 12.0–12.11.3, and 2025.1, even if IKEv2 VPN configurations were removed. Exploiting this could grant attackers full control over the firewall, bypassing perimeter defenses and enabling network infiltration, lateral movement, or data exfiltration. While no active exploits are reported, the risk is severe due to firewalls being prime targets for initial access. WatchGuard released patches (e.g., 12.3.1_Update3, 12.5.13, 2025.1.1) and advised immediate updates or mitigations like restricting VPN traffic. Experts warn this aligns with 2025 trends of edge security vulnerabilities being heavily exploited for breaches.
Source: https://hackread.com/watchguard-fix-for-firebox-firewall-vulnerability/
TPRM report: https://www.rankiteo.com/company/watchguard-online
"id": "wat0832408091925",
"linkid": "watchguard-online",
"type": "Vulnerability",
"date": "6/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Network Security',
'location': 'Seattle, Washington, USA',
'name': 'WatchGuard Technologies',
'type': 'Cybersecurity Vendor'}],
'attack_vector': 'Network (Remote, Unauthenticated)',
'customer_advisories': 'Public advisory with patch instructions and '
'mitigation guidance',
'description': 'WatchGuard has released security updates to address a '
'high-risk out-of-bounds write vulnerability (CVE-2025-9242) '
'in its Firebox firewalls. This flaw could allow a remote, '
'unauthenticated attacker to execute arbitrary code on the '
'device. The issue affects Fireware OS versions 11.10.2 to '
'11.12.4_Update1, 12.0 to 12.11.3, and 2025.1, particularly '
'when IKEv2 VPN configurations are (or were previously) '
'enabled. While no active exploits have been reported, the '
'vulnerability poses a severe risk due to its CVSS score of '
'9.3/10 and the critical role of firewalls in network '
'security. WatchGuard has released patches (12.3.1_Update3, '
'12.5.13, 12.11.4, 2025.1.1) and recommends immediate updates '
'or temporary mitigation via traffic restrictions to the VPN.',
'impact': {'brand_reputation_impact': 'High (trust in perimeter security '
'solutions undermined)',
'operational_impact': 'Potential full network compromise via '
'firewall breach (critical perimeter defense '
'bypass)',
'systems_affected': {'devices': ['Firebox T15 (Fireware OS 12.5.x)',
'Firebox T35 (Fireware OS 12.5.x)',
'Firebox T series (Fireware OS '
'12.x, 2025.1.x)',
'Firebox M series (Fireware OS '
'12.x, 2025.1.x)',
'Firebox Cloud (Fireware OS 12.x, '
'2025.1.x)'],
'software_versions': ['Fireware OS 11.10.2 to '
'11.12.4_Update1',
'Fireware OS 12.0 to '
'12.11.3',
'Fireware OS 2025.1']}},
'investigation_status': 'Ongoing (no active exploits reported; patches '
'released)',
'lessons_learned': ['Perimeter defenses (e.g., firewalls) remain high-value '
'targets for attackers due to their role as network '
'gatekeepers (David Matalon, Venn).',
'Vulnerabilities in edge security products can persist '
'even after misconfigurations are removed (Mayuresh Dani, '
'Qualys).',
'Layered security is critical to mitigate the impact of '
'perimeter breaches (David Matalon, Venn).',
'Firewall compromises provide attackers with tactical '
'advantages for lateral movement (Frankie Sclafani, '
'Deepwatch).'],
'post_incident_analysis': {'corrective_actions': ['Code fixes in Fireware OS '
'to validate memory bounds '
'in the iked process.',
'Enhanced validation for '
'VPN configuration '
'changes.'],
'root_causes': ['Out-of-bounds write vulnerability '
'in the iked process due to '
'improper memory handling.',
'Persistence of risk even after '
'IKEv2 VPN configurations were '
'removed.']},
'recommendations': ['Immediately apply WatchGuard’s patches for Fireware OS '
'(versions 12.3.1_Update3, 12.5.13, 12.11.4, 2025.1.1).',
'If patching is delayed, implement temporary mitigations '
'by restricting traffic to IKEv2 VPN services.',
'Audit all firewall configurations for unnecessary or '
'legacy VPN settings (e.g., IKEv2).',
'Adopt a layered security approach to reduce reliance on '
'single points of failure (e.g., firewalls).',
'Monitor for unusual activity on firewall devices, '
'especially unauthenticated access attempts to the iked '
'process.'],
'references': [{'source': 'WatchGuard Security Advisory'},
{'source': 'Hackread.com'},
{'source': 'CVE Details (CVE-2025-9242)'}],
'response': {'communication_strategy': {'customer_notifications': True,
'media_statements': True,
'public_advisory': True},
'containment_measures': ['Software patches (12.3.1_Update3, '
'12.5.13, 12.11.4, 2025.1.1)',
'Temporary mitigation: Restrict traffic '
'to VPN services'],
'incident_response_plan_activated': True,
'remediation_measures': ['Urgent patch deployment across all '
'affected Fireware OS versions']},
'stakeholder_advisories': 'Urgent update notifications sent to customers and '
'partners',
'title': 'Critical Out-of-Bounds Write Vulnerability in WatchGuard Firebox '
'Firewalls (CVE-2025-9242)',
'type': ['Vulnerability Disclosure', 'Remote Code Execution (RCE)'],
'vulnerability_exploited': {'affected_component': 'iked process in Fireware '
'OS',
'cve_id': 'CVE-2025-9242',
'cvss_score': 9.3,
'preconditions': ['IKEv2 VPN configuration '
'(current or previously '
'enabled)'],
'type': 'Out-of-Bounds Write'}}