High-Severity WatchGuard Flaws Risk VPN DoS and RCE via IKEv2 Memory Corruption

WatchGuard Technologies has released a critical series of security advisories addressing five high-severity vulnerabilities across its Firebox product line. The flaws, which affect the Fireware OS, could allow attackers to crash VPN services, execute arbitrary code, and inject malicious commands into the management interface.

The patches come as part of a broader security update for December 2025, urging administrators to upgrade their firmware immediately.

One of the most disruptive vulnerabilities, CVE-2025-11838 (CVSS 8.7), targets the IKEv2 (Internet Key Exchange) protocol used for VPN connections. The advisory warns that “a memory corruption vulnerability in WatchGuard Fireware OS may allow an unauthenticated attacker to trigger a Denial of Service (DoS) condition” in both Mobile User VPNs and Branch Office VPNs.

This flaw is particularly dangerous for distributed organizations relying on VPNs for remote work, as an attacker could repeatedly crash the service without needing credentials.

Several flaws directly impact the Firebox management interface, a critical control plane for network administrators:

• XPath Injection (CVE-2025-1545): An unauthenticated attacker could exploit this vulnerability to “retrieve sensitive information from the Firebox configuration” via the web interface. This affects systems with authentication hotspots enabled .
• CLI Command Injection (CVE-2025-12026 & CVE-2025-12195): Two separate “Out-of-bounds Write” vulnerabilities were found in the Command Line Interface (CLI). These allow authenticated, privileged users to execute arbitrary code by crafting malicious commands within the certificate request or IPSec configuration modules. While these require authentication, they could allow a compromised admin account to gain deeper system access.

The vulnerabilities impact a wide range of Fireware OS versions, generally affecting:

• 12.x (up to 12.11.4)
• 12.5.x (up to 12.5.13)
• 2025.1 (up to 2025.1.2)

WatchGuard has released patched versions to resolve these issues. Administrators should upgrade to:

• Fireware OS 12.11.5
• Fireware OS 12.5.14 (for T15/T35 models)
• Fireware OS 2025.1.3.

Related Posts:

• CVE-2025-9242: Critical WatchGuard Flaw Allows Remote Code Execution
• Critical WatchGuard Firebox Flaw (CVE-2025-59396, CVSS 9.8) Allows Unauthenticated Admin SSH Takeover via Default Credentials
• Critical WatchGuard Vulnerabilities Discovered: CVE-2024-6592 and CVE-2024-6593
• Google Cloud Unveils Gemini CLI: Free AI Assistant Brings Gemini 2.5 Pro to Your Terminal