A critical vulnerability (CVE-2025-9242, CVSS 9.3) in WatchGuard Firebox network security appliances exposes 75,835+ devices globally, primarily in the U.S., Germany, and Europe. The flaw an out-of-bounds write in the Fireware OS ‘iked’ process allows unauthenticated remote code execution via malicious IKEv2 VPN packets. Affected versions (11.10.2–11.12.4_Update1, 12.0–12.11.3, 2025.1) lack patches unless upgraded to 2025.1.1, 12.11.4, or 12.5.13. End-of-life 11.x versions remain permanently vulnerable. While no active exploitation is confirmed, the flaw enables attackers to bypass authentication, execute arbitrary code, and potentially compromise internal networks protected by these appliances. Organizations relying on Firebox for VPN gateways, traffic filtering, or cloud security face heightened risk of lateral movement, data exfiltration, or full system takeover if unpatched. Shadowserver Foundation’s scans confirm the exposure is not honeypots, urging immediate patching or mitigation via IPSec/IKEv2 hardening for static gateways.
TPRM report: https://www.rankiteo.com/company/watchguard-technologies
"id": "wat5192051102025",
"linkid": "watchguard-technologies",
"type": "Vulnerability",
"date": "6/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '75,835 vulnerable Firebox '
'appliances',
'industry': 'Network Security',
'location': 'Global (HQ: Seattle, WA, USA)',
'name': 'WatchGuard Technologies',
'type': 'Cybersecurity Vendor'},
{'industry': 'Multiple (including IT, Finance, '
'Healthcare, Education, etc.)',
'location': [{'count': 24500,
'country': 'United States'},
{'count': 7300, 'country': 'Germany'},
{'count': 6800, 'country': 'Italy'},
{'count': 5400,
'country': 'United Kingdom'},
{'count': 4100, 'country': 'Canada'},
{'count': 2000, 'country': 'France'},
{'count': 25735,
'country': 'Other (Global)'}],
'name': 'Organizations using WatchGuard Firebox '
'appliances',
'type': ['Enterprises',
'Government Agencies',
'SMBs',
'Service Providers']}],
'attack_vector': 'Network (IKEv2 VPN packets)',
'customer_advisories': ['Urgent patching advisory for Firebox appliance users',
'Guidance for migrating from EoL Fireware OS 11.x',
'Temporary mitigation steps for unpatched devices'],
'date_publicly_disclosed': '2025-09-17',
'description': 'Nearly 76,000 WatchGuard Firebox network security appliances '
'are exposed on the public web and vulnerable to a critical '
'out-of-bounds write flaw (CVE-2025-9242) in the Fireware OS '
'‘iked’ process. This vulnerability allows remote attackers to '
'execute arbitrary code without authentication by sending '
'specially crafted IKEv2 packets. The issue affects devices '
'using IKEv2 VPNs with dynamic gateway peers on specific '
'unsupported or unpatched versions. No active exploitation has '
'been reported yet, but administrators are urged to apply '
'patches immediately.',
'impact': {'brand_reputation_impact': 'High (due to widespread exposure of '
'critical security appliances)',
'operational_impact': 'Potential unauthorized remote code '
'execution, compromise of network traffic, '
'and bypass of security controls',
'systems_affected': '75,835 WatchGuard Firebox appliances (as of '
'latest scan)'},
'initial_access_broker': {'entry_point': 'IKEv2 VPN service (iked process) on '
'exposed Firebox appliances'},
'investigation_status': 'Ongoing (no active exploitation reported as of '
'2025-10-19)',
'lessons_learned': ['Critical importance of patching network security '
'appliances promptly, especially those exposed to the '
'internet',
'Risks of using end-of-life (EoL) software versions in '
'security-critical infrastructure',
'Need for proactive vulnerability scanning (e.g., '
'Shadowserver Foundation) to identify exposed assets',
'Configuration hardening (e.g., avoiding dynamic gateway '
'peers in VPN setups) as a temporary mitigation'],
'post_incident_analysis': {'corrective_actions': ['Release of patched '
'Fireware OS versions '
'(2025.1.1, 12.11.4, etc.)',
'Public disclosure and '
'advisory to customers',
'Collaboration with '
'Shadowserver Foundation '
'for vulnerability tracking',
'Recommendations for '
'configuration hardening '
'and EoL migrations'],
'root_causes': ['Out-of-bounds write vulnerability '
'in Fireware OS ‘iked’ process '
'(CVE-2025-9242)',
'Lack of authentication required '
'for exploitation via IKEv2 '
'packets',
'Delayed patching by '
'administrators',
'Use of unsupported (EoL) software '
'versions (11.x)',
'Exposure of Firebox appliances to '
'the public internet without '
'adequate protections']},
'recommendations': ['Immediately patch all affected WatchGuard Firebox '
'appliances to the latest supported versions',
'Audit and disable unnecessary IKEv2 VPN configurations, '
'especially with dynamic peers',
'Replace or upgrade appliances running Fireware OS 11.x '
'(EoL)',
'Implement network segmentation to limit exposure of '
'Firebox appliances',
'Monitor for anomalous IKEv2 traffic as a potential '
'indicator of exploitation attempts',
'Engage with WatchGuard support for migration guidance if '
'using unsupported versions',
'Conduct a thorough review of VPN configurations and '
'access controls'],
'references': [{'date_accessed': '2025-09-17',
'source': 'WatchGuard Security Bulletin (CVE-2025-9242)'},
{'date_accessed': '2025-10-19',
'source': 'The Shadowserver Foundation Vulnerability Report'},
{'source': 'BleepingComputer Article'}],
'response': {'communication_strategy': ['WatchGuard security bulletin '
'(2025-09-17)',
'Public advisory via BleepingComputer '
'and other cybersecurity media',
'Shadowserver Foundation '
'vulnerability disclosure'],
'containment_measures': ['Apply security patches to Fireware OS '
'versions 2025.1.1, 12.11.4, 12.5.13, '
'or 12.3.1_Update3 (B722811)',
'Upgrade from unsupported version 11.x '
'(EoL)',
'Temporary workaround: Secure Branch '
'Office VPNs to static gateway peers '
'using IPSec/IKEv2 (for affected '
'configurations)'],
'enhanced_monitoring': 'Recommended for unpatched devices '
'(monitor IKEv2 traffic)',
'remediation_measures': ['Patch vulnerable appliances '
'immediately',
'Disable IKEv2 VPNs with dynamic '
'gateway peers if patching is delayed',
'Monitor for suspicious IKEv2 traffic'],
'third_party_assistance': ['The Shadowserver Foundation '
'(scanning/vulnerability tracking)']},
'stakeholder_advisories': ['WatchGuard customers and partners',
'Network administrators using Firebox appliances',
'CISOs and IT security teams in affected regions'],
'title': 'Critical Vulnerability (CVE-2025-9242) in WatchGuard Firebox '
'Appliances Exposes 76,000 Devices',
'type': ['Vulnerability Exposure',
'Unauthenticated Remote Code Execution (RCE)'],
'vulnerability_exploited': 'CVE-2025-9242 (Out-of-bounds write in Fireware OS '
'‘iked’ process)'}