A critical vulnerability, CVE-2025-9242, has been identified in WatchGuard Firebox Network Security Appliances. This flaw exposes affected devices to the public internet and allows unauthenticated remote code execution. Review the details in this Cybersecurity Threat Advisory to understand the potential impact and learn how to protect your systems effectively.
What is the threat?
CVE-2025-9242 has a score of CVSS 9.3, affecting the IKEv2 VPN connection handler in WatchGuard Firebox appliances. It stems from an out-of-bounds write in the Fireware OS’s IKED process, which manages IKEv2 key exchanges.
Attackers can exploit this flaw by sending a specially crafted packet to an exposed device, triggering a stack-based buffer overflow. Since the flaw is exploitable prior to authentication, it poses a serious risk to organizations relying on these devices for perimeter security.
Why is it noteworthy?
This vulnerability affects multiple Fireware OS versions, including 11.x, 12.x, and 2025.1, and it impacts a wide range of Firebox models—from small-office units like the T15 to enterprise-grade appliances such as the M5800, including Firebox virtual appliances.
In particular, devices are at risk if configured for a mobile user VPN using IKEv2 or a branch office VPN connected to a dynamic gateway peer. Notably, even after removing these configurations, the device may remain vulnerable if a branch office VPN to a static gateway peer is still active.
Security researchers have also demonstrated a reliable method to fingerprint the exact Fireware OS version using a single UDP packet, enabling targeted identification of vulnerable devices.
What is the exposure or risk?
Attackers can exploit CVE-2025-9242 by sending specially crafted IKEv2 traffic to an exposed device, triggering a stack-based buffer overflow—without requiring authentication. Threat actors can quickly weaponize vulnerabilities like this—even before active exploitation is reported—making it critical to patch systems and verify Fireware OS versions without delay.
What are the recommendations?
Barracuda recommends the following steps to mitigate the effects towards this vulnerability:
- Verify all WatchGuard Firebox devices are running a patched Fireware OS version.
- Minimize or disable public exposure of VPN services and other internet-facing management interfaces unless necessary.
- Limit IKEv2/VPN exposure to trusted networks.
- Review configurations such as mobile user VPN and branch office VPN to ensure they align with least privilege access.
- Enforce MFA for management access where possible and tighten authentication requirements for VPN endpoints.
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.bleepingcomputer.com/news/security/over-75-000-watchguard-security-devices-vulnerable-to-critical-rce/
- https://cyberpress.org/watchguard-vpn-vulnerability/
- https://hackyourmom.com/en/novyny/ponad-75-000-prystroyiv-watchguard-zalyshayutsya-vrazlyvymy-do-krytychnoyi-urazlyvosti-rce/
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.