Ddos 
WatchGuard has issued a security advisory addressing a critical vulnerability in its Fireware OS, tracked as CVE-2025-9242 with a CVSS v4 score of 9.3. The flaw resides in the iked process and could allow a remote unauthenticated attacker to execute arbitrary code on vulnerable Firebox devices.
According to the advisory, “An Out-of-bounds Write vulnerability in the WatchGuard Fireware OS iked process may allow a remote unauthenticated attacker to execute arbitrary code.”
The issue affects Fireboxes configured for mobile user VPN with IKEv2 or branch office VPN using IKEv2 when set up with a dynamic gateway peer.
Importantly, even if those configurations have been deleted, systems may remain exposed. The advisory warns: “If the Firebox was previously configured with the mobile user VPN with IKEv2 or a branch office VPN using IKEv2 to a dynamic gateway peer, and both of those configurations have since been deleted, that Firebox may still be vulnerable if a branch office VPN to a static gateway peer is still configured.”
The vulnerability affects the following Fireware OS versions:
- 11.10.2 up to and including 11.12.4_Update1
- 12.0 up to and including 12.11.3
- 2025.1
WatchGuard has released updates to address the issue:
- 2025.1.1
- 12.11.4
- 12.5.13 (T15 & T35 models)
- 12.3.1_Update3 (B722811) – FIPS-certified release
For customers unable to immediately apply patches, WatchGuard has provided a temporary mitigation path. “If your Firebox is only configured with Branch Office VPN tunnels to static gateway peers and you are not able to immediately upgrade the device to a version of Fireware OS with the vulnerability resolution, you can follow WatchGuard’s recommendations for Secure Access to Branch Office VPNs that Use IPSec and IKEv2 as a temporary workaround.”
Donate