Security Update for WatchGuard Firebox Devices
WatchGuard has announced a critical security update for Firebox appliances. While there’s no evidence this issue has been exploited, we’re already reviewing all client systems and preparing updates to ensure continued protection.
Your security is our top priority — and we’ve got it covered. ✅
WatchGuard Firebox iked Out of Bounds Write Vulnerability
Advisory ID: WGSA-2025-00015
CVE: CVE-2025-9242
Impact: Critical
Status: Resolved
Product Family: Firebox
Published Date: 2025-09-17
Updated Date: 2025-09-17
Workaround Available: True
CVSS Score: 9.3
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
An Out-of-bounds Write vulnerability in the WatchGuard Fireware OS iked process may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer.
If the Firebox was previously configured with the mobile user VPN with IKEv2 or a branch office VPN using IKEv2 to a dynamic gateway peer, and both of those configurations have since been deleted, that Firebox may still be vulnerable if a branch office VPN to a static gateway peer is still configured.
Affected
This vulnerability affects Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3 and 2025.1.
Resolution
Workaround
If your Firebox is only configured with Branch Office VPN tunnels to static gateway peers and you are not able to immediately upgrade the device to a version of Fireware OS with the vulnerability resolution, you can follow WatchGuard’s recommendations for Secure Access to Branch Office VPNs that Use IPSec and IKEv2 as a temporary workaround.
Credits: btaol
Advisory Product List
For those who’d like more details, here’s WatchGuard’s official notice: WatchGuard Security Advisory – WGSA-2025-0015