CISA reports active explotation of WatchGuard Firebox vulnerability

CISA is warning of active exploitation of critical security vulnerability in WatchGuard Firebox firewalls that enables unauthenticated attackers to execute arbitrary code on the device.

This vulnerability is tracked as CVE-2025-9242 (CVSS score 9.3), is an out-of-bounds write flaw in the WatchGuard Fireware OS iked process. That process is responsible for handling IKE protocol operations used to establish secure VPN connections. 

The flaw impacts both mobile user VPN configurations using IKEv2 and branch office VPN tunnels using IKEv2 when configured with dynamic gateway peers. Devices that were previously configured with VPN setups but have since had those configurations deleted may still be vulnerable if branch office VPN connections to static gateway peers are still configured.

Vulnerable versions are Fireware OS 11.10.2 up to and including 11.12.4_Update1, versions 12.0 up to and including 12.11.3, and the 2025.1 release.

According to scan data from the Shadowserver Foundation, more than 54,300 Firebox instances remained vulnerable to CVE-2025-9242 as of November 12, 2025.

Organizations running WatchGuard Firebox should immediately upgrade all affected Fireware OS installations to patched versions:

• For devices running 11.x series, organizations should upgrade to version 11.12.5 or later.
• For devices running Fireware OS 12.x, upgrade to version 12.11.4 or later,
• For devices running the Fireware OS 2025.1 upgrade to version 2025.1.1 or later.

Organizations that can't immediately upgrade should disable IKEv2 VPN functionality. Since disabling IKEv2 will disrupt legitimate VPN connectivity, it should be considered a temporary measure pending full patch deployment.