WatchGuard has issued security updates addressing a vulnerability, tracked as CVE-2025-9242, affecting its Firebox firewall devices. This flaw involves an out-of-bounds write weakness within the Fireware OS, potentially allowing remote attackers to execute arbitrary code on vulnerable devices configured with IKEv2 VPN.
The vulnerability, officially classified as CVE-2025-9242, impacts Firebox devices running Fireware OS versions 11.x (which is now end-of-life), 12.x, and the latest 2025.1 series. The security flaw resides in the iked process of Fireware OS, which handles VPN connections, specifically affecting configurations using the IKEv2 VPN protocol. Attackers exploiting this vulnerability could gain remote code execution capabilities without needing authentication, creating a critical security threat for vulnerable devices.
WatchGuard’s advisory, published on September 17, 2025, details that both mobile user VPNs with IKEv2 and branch office VPNs (BOVPN) using IKEv2 are at risk, especially when configured with dynamic gateway peers. Notably, even if the vulnerable IKEv2 VPN settings have been removed, a Firebox remains susceptible if it still has a branch office VPN connection to a static gateway peer.
Firebox Firewalls Vulnerability (CVE-2025-9242): Affected Versions and Fixes
The vulnerability affects Fireware OS versions from 11.10.2 up to 11.12.4_Update1, 12.0 through 12.11.3, and the 2025.1 series. WatchGuard has released fixes in the following versions:
- 11.x – End of Life, no further updates.
- 12.3.1_Update3 (B722811)
- 12.5.13 (for T15 & T35 models)
- 12.11.4
- 2025.1.1
Users of Firebox firewalls are strongly urged to update to these patched versions to prevent potential exploitation of the vulnerability.
The vulnerability’s CVSS score of 9.3 makes the vulnerability a severe flaw. An unauthenticated remote attacker can execute arbitrary code, which could lead to complete compromise of the firewall and the network it protects.
This risk particularly concerns organizations relying on Firebox firewalls for secure VPN access using IKEv2 VPN.
Temporary Workaround for Vulnerable Devices
For administrators unable to immediately apply the patch, WatchGuard offers a temporary workaround to secure vulnerable devices configured with Branch Office VPN tunnels to static gateway peers. This involves disabling dynamic peer VPNs, creating firewall aliases for trusted IP addresses, adding specific firewall policies, and disabling default system VPN policies.
Key steps include:
- Disable Dynamic Peer BOVPNs: Remove any VPN tunnels using dynamic gateway peers.
- Create Aliases: Define groups of trusted static IP addresses representing remote BOVPN peers.
- Add New Firewall Policies: Permit VPN traffic (UDP port 500, UDP 4500, AH, and ESP) only from these aliases.
- Disable Default VPN Policies: Turn off built-in IPSec policies that allow all incoming VPN connections.
This workaround minimizes exposure until the device can be updated with the official patch.
WatchGuard’s advisory (WGSA-2025-00015) warns:
“An Out-of-bounds Write vulnerability in the WatchGuard Fireware OS iked process may allow a remote unauthenticated attacker to execute arbitrary code. This affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 with dynamic gateway peers.”
The company encourages users to apply the security updates without delay because the high severity score makes the vulnerability particularly dangerous. Additionally, users show vigilance in managing VPN security, especially configurations involving IKEv2 VPN.
Organizations using WatchGuard Firebox devices should prioritize upgrading to patched Fireware OS versions to mitigate the risks associated with CVE-2025-9242.
