Patch Immediately: WatchGuard Warns of Remote Code Execution Risk in Firebox firewalls

On September 17, 2025, WatchGuard disclosed a critical vulnerability affecting WatchGuard Firebox appliances running Fireware OS. The flaw is an Out-of-Bounds Write weakness residing in the iked process responsible for VPN connections and could allow a remote, unauthenticated attacker to execute arbitrary code.

Severity: Critical

Vulnerability Details

• CVE ID: CVE-2025-9242
• CVSS Score: 9.3
• Vulnerability Type: Out-of-Bounds Write
• Component Affected: iked process in Fireware OS
• Affected Functionality:
  • Mobile user VPN with IKEv2
  • Branch office VPN using IKEv2 with dynamic gateway peers

Description: The issue lies in the IKEv2 VPN handling by the iked process. Specially crafted IKEv2 traffic can trigger an Out-of-Bounds Write, leading to memory corruption. Successful exploitation grants remote code execution without requiring authentication.

Affected Products

• Firebox Fireware OS 12.5.x: T15, T35
• Firebox Fireware OS 12.x: T20–T85, M270–M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV
• Firebox Fireware OS 2025.1.x: T115-W, T125, T125-W, T145, T145-W, T185

Potential Impact

• Complete compromise of Firebox appliance.
• Use of compromised Firebox as an entry point for network intrusion.
• Disruption of VPN services and branch office connectivity.

Recommendations

1. Immediately upgrade to 2025.1.1, 12.11.4, or 12.5.13 depending on model/version. Ensure FIPS devices move to 12.3.1_Update3.
2. Workaround: If immediate patching is not possible – limit configurations to Branch Office VPN tunnels with static gateway peers only and apply WatchGuard’s guidance for secure IKEv2 VPN configuration as an interim step.

Source:

• https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00015

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.