Security Update for WatchGuard Firebox Devices

WatchGuard has announced a critical security update for Firebox appliances. While there’s no evidence this issue has been exploited, we’re already reviewing all client systems and preparing updates to ensure continued protection.

Your security is our top priority — and we’ve got it covered. ✅

WatchGuard Firebox iked Out of Bounds Write Vulnerability

Advisory ID: WGSA-2025-00015

CVE: CVE-2025-9242

Impact: Critical

Status: Resolved

Product Family: Firebox

Published Date: 2025-09-17

Updated Date: 2025-09-17

Workaround Available: True

CVSS Score: 9.3

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

An Out-of-bounds Write vulnerability in the WatchGuard Fireware OS iked process may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer.
If the Firebox was previously configured with the mobile user VPN with IKEv2 or a branch office VPN using IKEv2 to a dynamic gateway peer, and both of those configurations have since been deleted, that Firebox may still be vulnerable if a branch office VPN to a static gateway peer is still configured.

Affected

This vulnerability affects Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3 and 2025.1.

Resolution

Workaround

If your Firebox is only configured with Branch Office VPN tunnels to static gateway peers and you are not able to immediately upgrade the device to a version of Fireware OS with the vulnerability resolution, you can follow WatchGuard’s recommendations for Secure Access to Branch Office VPNs that Use IPSec and IKEv2 as a temporary workaround.

Credits: btaol

Advisory Product List

For those who’d like more details, here’s WatchGuard’s official notice: WatchGuard Security Advisory – WGSA-2025-0015