Alerts
A critical WatchGuard Fireware vulnerability — Worrying WatchGuard VPN bug could let hackers hijack your devices - here's how to stay safe — was disclosed this month. CVE-2025-9242 lets unauthenticated attackers trigger remote code execution against affected Firebox devices using IKEv2 with dynamic gateway peers, so patching and quick mitigations are essential.
A critical out-of-bounds write in WatchGuard Fireware (CVE-2025-9242) can allow unauthenticated remote code execution.
WatchGuard has published fixes; updated Fireware builds are available. Apply the patch now.
If you can’t patch immediately, follow WatchGuard’s recommended workarounds (disable dynamic BOVPN peers, tighten firewall policies, restrict internet access).
CVE-2025-9242 is an out-of-bounds write vulnerability in the iked process of WatchGuard’s Fireware OS that affects IKEv2 VPN configurations using dynamic gateway peers. That means an attacker on the internet could — in the worst case — run code on the firewall without authenticating first.
Firebox devices running affected Fireware versions across 11.x, 12.x and the 2025.1 builds were listed as vulnerable.
Devices that used IKEv2 dynamic peers previously may remain vulnerable even if those configs were later deleted, depending on remaining static peer settings — so don’t assume deletion fixed it.
WatchGuard released fixed versions. Update to the first clean builds listed in their advisory (examples include 2025.1.1, 12.11.4, 12.5.13, and 12.3.1_Update3 depending on model). Check your product’s advisory and upgrade immediately.
If you cannot apply the patch right away, do the following now:
Disable dynamic peer BOVPNs until you can patch. This blocks the vulnerable path.
Add strict firewall rules to limit IKE and VPN traffic to known, trusted IPs only
Restrict internet access for exposed management interfaces and essential devices only.
Audit VPN configs — remove any unused IKEv2 profiles and confirm whether deleted configs left residual settings.
Monitor logs and alerts for unusual iked activity or signs of exploitation (unexpected reboots, new admin accounts, or unknown outbound connections).
Review firewall logs for anomalous iked behavior, spikes in VPN traffic, or failed/successful unexpected sessions.
Look for signs of post-exploitation: unexpected config changes, new admin users, or untracked outbound connections. If in doubt, escalate to your incident response team.
Identify Firebox models and Fireware versions in your estate.
Patch to vendor-recommended builds now.
If unable to patch, disable dynamic peer BOVPNs and tighten policies.
Audit VPN configs for residual exposures.
Increase logging, monitor for anomalies, and be ready to isolate affected devices.
Public advisories and patch releases make vulnerabilities attractive to attackers — historically, many threat actors scan for targets immediately after a patch notice. Even though WatchGuard said they’ve seen no evidence of active exploitation so far, that can change quickly. Prioritise patching to avoid becoming an easy target.
Access our platform effortlessly on-the-go through our user-friendly mobile apps.
𝗦𝗲𝗺𝗮𝘀𝗼𝗰𝗶𝗮𝗹 𝗶𝘀 𝘄𝗵𝗲𝗿𝗲 𝗿𝗲𝗮𝗹 𝗽𝗲𝗼𝗽𝗹𝗲 𝗰𝗼𝗻𝗻𝗲𝗰𝘁, 𝗴𝗿𝗼𝘄, 𝗮𝗻𝗱 𝗯𝗲𝗹𝗼𝗻𝗴. We’re more than just a social platform — from jobs and blogs to events and daily chats, we bring people and ideas together in one simple, meaningful space.
