CVE-2025-9242: Critical WatchGuard Flaw Allows Remote Code Execution

WatchGuard has issued a security advisory addressing a critical vulnerability in its Fireware OS, tracked as CVE-2025-9242 with a CVSS v4 score of 9.3. The flaw resides in the iked process and could allow a remote unauthenticated attacker to execute arbitrary code on vulnerable Firebox devices.

According to the advisory, “An Out-of-bounds Write vulnerability in the WatchGuard Fireware OS iked process may allow a remote unauthenticated attacker to execute arbitrary code.”

The issue affects Fireboxes configured for mobile user VPN with IKEv2 or branch office VPN using IKEv2 when set up with a dynamic gateway peer.

Importantly, even if those configurations have been deleted, systems may remain exposed. The advisory warns: “If the Firebox was previously configured with the mobile user VPN with IKEv2 or a branch office VPN using IKEv2 to a dynamic gateway peer, and both of those configurations have since been deleted, that Firebox may still be vulnerable if a branch office VPN to a static gateway peer is still configured.”

The vulnerability affects the following Fireware OS versions:

• 11.10.2 up to and including 11.12.4_Update1
• 12.0 up to and including 12.11.3
• 2025.1

WatchGuard has released updates to address the issue:

• 2025.1.1
• 12.11.4
• 12.5.13 (T15 & T35 models)
• 12.3.1_Update3 (B722811) – FIPS-certified release

For customers unable to immediately apply patches, WatchGuard has provided a temporary mitigation path. “If your Firebox is only configured with Branch Office VPN tunnels to static gateway peers and you are not able to immediately upgrade the device to a version of Fireware OS with the vulnerability resolution, you can follow WatchGuard’s recommendations for Secure Access to Branch Office VPNs that Use IPSec and IKEv2 as a temporary workaround.”

Related Posts:

• Critical WatchGuard Vulnerabilities Discovered: CVE-2024-6592 and CVE-2024-6593
• Microsoft Deprecates Aging VPN Protocols PPTP and L2TP in Future Windows Server Versions
• Microsoft April Patch Tuesday includes mitigate Spectre Variant 2 for AMD processors

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy