WatchGuard disclosed CVE-2025-9242, a critical remote code execution (RCE) vulnerability in its Firebox firewalls due to an out-of-bounds write flaw in the iked process (IKEv2 VPN component). The vulnerability allows unauthenticated attackers to execute arbitrary code on affected devices, even if previously vulnerable configurations (mobile user VPN or dynamic gateway peer BOVPN) were deleted if a static gateway peer BOVPN remains active. The flaw impacts Fireware OS 11.x (EOL), 12.x, and 2025.1, with patches released in versions 12.3.1_Update3, 12.5.13, 12.11.4, and 2025.1.1. Over 250,000 SMBs using WatchGuard’s firewalls (models: T15 to M690, Firebox Cloud, FireboxV, etc.) are at risk. While no active exploitation is reported, the vulnerability poses a severe threat, as firewalls are prime targets for ransomware groups (e.g., Akira exploiting SonicWall’s CVE-2024-40766). CISA previously mandated patches for a similar WatchGuard flaw (2022) exploited in attacks. Unpatched systems risk full device compromise, enabling lateral movement, data exfiltration, or ransomware deployment. WatchGuard provided a temporary workaround (disabling dynamic BOVPNs, modifying firewall policies) but urges immediate patching to prevent potential supply-chain attacks or mass exploitation by threat actors.
TPRM report: https://www.rankiteo.com/company/watchguard-technologies
"id": "wat0970609100325",
"linkid": "watchguard-technologies",
"type": "Vulnerability",
"date": "6/2022",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'Potentially all customers using '
'vulnerable Firebox firewalls '
'with IKEv2 VPN configurations',
'industry': 'Network Security',
'location': 'Seattle, Washington, USA',
'name': 'WatchGuard Technologies',
'size': 'Mid-sized (250,000+ SMB customers globally)',
'type': 'Cybersecurity Vendor'},
{'industry': 'Multiple (global)',
'location': 'Worldwide',
'name': 'WatchGuard Customers (SMBs)',
'size': '17,000+ resellers; 250,000+ SMBs',
'type': ['Small and Mid-sized Businesses (SMBs)',
'Enterprises using WatchGuard Firebox']}],
'attack_vector': ['Network', 'VPN Exploitation (IKEv2)'],
'customer_advisories': ['Urgent patching recommended for all affected Firebox '
'models.',
'Temporary mitigation steps provided for '
'organizations unable to patch immediately.',
'Warning that even deleted IKEv2 configurations may '
'leave devices vulnerable if static gateway peers '
'remain.'],
'date_publicly_disclosed': '2025-01-01T00:00:00Z',
'description': 'WatchGuard has released security updates to address a remote '
'code execution vulnerability (CVE-2025-9242) impacting its '
'Firebox firewalls. The critical flaw, caused by an '
"out-of-bounds write weakness in the Fireware OS 'iked' "
'process, allows remote unauthenticated attackers to execute '
'arbitrary code on vulnerable devices configured with IKEv2 '
'VPN (mobile user or branch office VPN with dynamic/static '
'gateway peers). The vulnerability affects Fireware OS 11.x '
'(EOL), 12.x, and 2025.1, with fixes released in versions '
'12.3.1_Update3, 12.5.13, 12.11.4, and 2025.1.1. A temporary '
'workaround involves disabling dynamic peer BOVPNs and '
'adjusting firewall policies. While no active exploitation is '
'reported, admins are urged to patch due to the high-value '
'target nature of firewalls.',
'impact': {'brand_reputation_impact': ['Potential reputational damage if '
'exploited'],
'operational_impact': ['Potential unauthorized remote code '
'execution',
'Risk of firewall compromise'],
'systems_affected': [{'model': 'Firebox T15, T35 (Fireware OS '
'12.5.x)',
'status': 'Vulnerable if configured with '
'IKEv2 VPN'},
{'model': 'Firebox T20, T25, T40, T45, T55, '
'T70, T80, T85, M270, M290, M370, '
'M390, M470, M570, M590, M670, '
'M690, M440, M4600, M4800, M5600, '
'M5800 (Fireware OS 12.x)',
'status': 'Vulnerable if configured with '
'IKEv2 VPN'},
{'model': 'Firebox Cloud, Firebox NV5, '
'FireboxV (Fireware OS 12.x)',
'status': 'Vulnerable if configured with '
'IKEv2 VPN'},
{'model': 'Firebox T115-W, T125, T125-W, '
'T145, T145-W, T185 (Fireware OS '
'2025.1.x)',
'status': 'Vulnerable if configured with '
'IKEv2 VPN'}]},
'initial_access_broker': {'entry_point': ['IKEv2 VPN misconfigurations '
'(dynamic/static gateway peers)'],
'high_value_targets': ['Firewall devices (for '
'lateral movement or '
'persistence)']},
'investigation_status': 'Ongoing (no active exploitation reported as of '
'disclosure)',
'lessons_learned': ['Firewalls remain high-value targets for threat actors '
'(e.g., Akira ransomware exploiting SonicWall '
'CVE-2024-40766).',
'Legacy or end-of-life (EOL) software (e.g., Fireware OS '
'11.x) poses persistent risks if not updated or replaced.',
'VPN configurations (e.g., IKEv2) can introduce critical '
'vulnerabilities if not properly secured or deprecated.',
'Proactive patching and temporary workarounds are '
'essential to mitigate exploitation before attacks '
'occur.'],
'post_incident_analysis': {'corrective_actions': ['Released patched versions '
'of Fireware OS '
'(12.3.1_Update3, 12.5.13, '
'12.11.4, 2025.1.1).',
'Provided detailed '
'workaround instructions '
'for administrators.',
'Emphasized the need to '
'audit and remove unused '
'VPN configurations.',
'Highlighted risks of EOL '
'software in customer '
'communications.'],
'root_causes': ['Out-of-bounds write vulnerability '
"in Fireware OS 'iked' process "
'(CVE-2025-9242).',
'Insecure default configurations '
'for IKEv2 VPN (mobile user and '
'branch office).',
'Persistence of vulnerability even '
'after deleting IKEv2 '
'configurations if static gateway '
'peers remain.',
'Use of end-of-life (EOL) software '
'(Fireware OS 11.x) in some '
'deployments.']},
'recommendations': ['Immediately patch WatchGuard Firebox devices to versions '
'12.3.1_Update3, 12.5.13, 12.11.4, or 2025.1.1.',
'Disable IKEv2 VPN configurations if not required, '
'especially dynamic peer BOVPNs.',
'Implement the temporary workaround (firewall policy '
'adjustments) if patching is delayed.',
'Audit firewall configurations for legacy or unused VPN '
'settings that may introduce vulnerabilities.',
'Monitor for unusual VPN traffic or authentication '
'attempts targeting Firebox devices.',
'Replace end-of-life (EOL) Fireware OS 11.x devices, as '
'they will not receive security updates.',
'Educate administrators on the risks of exposing VPN '
'services (e.g., IKEv2) to untrusted networks.'],
'references': [{'date_accessed': '2025-01-01',
'source': 'WatchGuard Security Advisory (CVE-2025-9242)',
'url': 'https://www.watchguard.com/wgrd-support/advisory/cve-2025-9242'},
{'date_accessed': '2025-01-01',
'source': 'WatchGuard Support Document (Workaround)',
'url': 'https://www.watchguard.com/support/article/cve-2025-9242-workaround'},
{'date_accessed': '2025-01-02',
'source': 'BleepingComputer - WatchGuard Firebox RCE Bug '
'Could Let Attackers Hack Firewalls',
'url': 'https://www.bleepingcomputer.com/news/security/watchguard-firebox-rce-bug-could-let-attackers-hack-firewalls/'},
{'date_accessed': '2022-04-01',
'source': 'CISA Directive (2022) - WatchGuard Firebox '
'Vulnerability',
'url': 'https://www.cisa.gov/news-events/directives/ed-22-03'}],
'regulatory_compliance': {'regulatory_notifications': ['Historical context: '
'CISA ordered federal '
'agencies to patch a '
'prior WatchGuard '
'vulnerability (April '
'2022)']},
'response': {'communication_strategy': ['Public advisory released (January '
'2025)',
'Detailed support document for '
'workaround',
'Collaboration with 17,000+ resellers '
'for customer notifications'],
'containment_measures': ['Security updates released (Fireware OS '
'12.3.1_Update3, 12.5.13, 12.11.4, '
'2025.1.1)',
'Temporary workaround provided '
'(disabling dynamic peer BOVPNs, '
'adjusting firewall policies)'],
'incident_response_plan_activated': True,
'remediation_measures': ['Patching vulnerable devices',
'Disabling vulnerable IKEv2 '
'configurations',
'Adding new firewall policies to '
'restrict VPN traffic']},
'stakeholder_advisories': ['WatchGuard customers (via resellers and direct '
'notifications)',
'Federal agencies (historical context via CISA)'],
'title': 'WatchGuard Firebox Firewalls Remote Code Execution Vulnerability '
'(CVE-2025-9242)',
'type': ['Vulnerability', 'Remote Code Execution (RCE)'],
'vulnerability_exploited': "CVE-2025-9242 (Out-of-bounds Write in 'iked' "
'process)'}