- Watchguard poured a critical VPN vulnerability that allows the execution of the remote code in FireBox Firewalls
- CVE-2025-9242 affects the pairs configurations of the dynamic gateway, even after the elimination in some cases
- Exploitation is not seen yet, but the delayed patch leaves the systems exposed to future directed attacks
Watchguard has solved a critical severity vulnerability that affects its FireBox firewalls and urges users to apply the freshly published patch without hesitation.
In a security notice, the company said it addressed a writing vulnerability outside the limits in the Watchguard Fireware os Iked process, which “can allow a not authenticated remote attacker to execute arbitrary code.”
It was said that vulnerability affects both the mobile user VPN with IKEV2 and the branch VPN using IKEV2, when it was configured with a dynamic gate pair. In addition, if the fire box was previously configured with the mobile user VPN with IKEV2 or a VPN of the branch office that uses IKEV2 to a torque of the dynamic gate, and both configurations were subsequently eliminated, the fire box can still be vulnerable “if a VPN of the branch office at a static gateway is still configured.”
Alternative solution
Vulnerability is now traced as CVE-2025-9242, and was given a gravity score of 9.2/10 (critical). Affects firewalls with Fireware OS 11.x (end of life), 12.xy 2025.1. The first clean version is 12.3.1_update3 (B722811), 12.5.13, 12.11.4 and 2025.1.1.
Those who cannot apply the solution can immediately implement an alternative solution that includes disabling dynamic pairs bovpn, adding new firewall policies and disabled system predetermined policies that handle VPN traffic.
Until now, there has been no evidence of abuse in nature.
However, many criminals only begin to seek vulnerabilities after a patch is launched, knowing that organizations rarely seem in time and, often, maintain their systems exposed for longer periods of time.
For example, at the beginning of 2025, threat actors exploded a Fortinet Fortigate vulnerability, tracked as CVE-2022-42475, more than a year after their dissemination.
Despite the available patches, many devices remained exposed, while the attackers used symbolic links to keep stealthy access, extraction credentials and configuration data.
Through Bleepingcomputer
