A critical remote-code execution (RCE) vulnerability in WatchGuard Firebox, tracked as CVE-2025-9242 with a CVSS score of 9.3, allows unauthenticated attackers to execute arbitrary code. Review the information in this Cybersecurity Threat Advisory to learn more.
What is the threat?
CVE-2025-9242 is an out-of-bounds write vulnerability in the WatchGuard Fireware OS iked process. A remote, unauthenticated attacker can trigger the flaw by sending specially crafted IKEv2 traffic, which may allow arbitrary code execution on an affected Firebox appliance. The vulnerability affects both mobile-user VPNs using IKEv2 and branch-office VPNs using IKEv2 when configured with a dynamic gateway peer.
Why is this noteworthy?
The bug impacts perimeter firewalls. Successful exploitation allows code execution on a perimeter firewall appliance, which could give an attacker complete control of the device and a foothold inside the protected network. Vendor and industry reporting highlight firewalls as high-value targets and recommend immediate remediation to prevent potential compromise.
Sophisticated threat actors have historically exploited WatchGuard appliances, often within weeks of disclosure, as seen during the Cyclops Blink malware campaign. At the time of the advisories, there were no confirmed reports of exploitation in the wild, but the severity and attack vector make rapid mitigation a priority.
What is the exposure or risk?
If left unpatched, WatchGuard Firebox devices running affected versions of Fireware OS (11.10.2 through 11.12.4_Update1, 12.0 through 12.11.3, and 2025.1) remain vulnerable when configured to use IKEv2 for mobile-user or branch-office VPNs with dynamic gateway peers. Removing those VPN configurations doesn’t eliminate the risk if a branch-office VPN still connects to a static gateway peer, as leftover static BOVPN peers may continue to expose the flaw. Successful exploitation would allow an unauthenticated attacker to execute arbitrary code on the firewall, potentially disrupting its protective functions and using it as a pivot to move deeper into the network.
What are the recommendations?
Barracuda recommends the following actions to secure your systems:
- Apply WatchGuard’s fixed firmware immediately. Upgrade to the patched Fireware OS versions published by WatchGuard (for example: 2025.1 → 2025.1.1; 12.x → 12.11.4; 12.5.x (T15 & T35) → 12.5.13; 12.3.1 (FIPS) → 12.3.1_Update3 (B722811)).
- If immediate patching isn’t feasible, implement WatchGuard’s interim workaround to reduce exposure. This includes disabling dynamic-peer BOVPNs, removing default IKEv2 policies, and applying the firewall rules recommended by the vendor.
- Audit VPN configurations and remove unused IKEv2 entries, especially static peers that may leave devices exposed.
- Begin monitoring for anomalous IKEv2 activity immediately and investigate any suspicious logs.
- After patching, validate that remediation steps were successful. Confirm the firmware version, apply the correct VPN policies, and review system logs to ensure stability.
Post-remediation validation checklist:
- Confirm device firmware matches patched version.
- Review VPN configuration and ensure no vulnerable IKEv2 settings remain.
- Verify that logging is enabled and review logs for post-update errors.
- Test VPN connectivity to confirm legitimate traffic flows are unaffected.
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.bleepingcomputer.com/news/security/watchguard-warns-of-critical-vulnerability-in-firebox-firewalls/
- https://nvd.nist.gov/vuln/detail/CVE-2025-9242
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.