What is the WatchGuard CVE-2025-9242 vulnerability?

CVE-2025-9242 is a critical security vulnerability with a CVSS score of 9.3 affecting WatchGuard Firebox firewall appliances. It's an out-of-bounds write flaw in the WatchGuard Fireware OS iked process, which handles IKE protocol operations for establishing secure VPN connections. This vulnerability allows attackers to execute arbitrary code on vulnerable systems without any authentication.

Which WatchGuard devices are affected by CVE-2025-9242?

The vulnerability affects WatchGuard Firebox models including T15, T20, T25, T35, T40, T45, T55, T70, T80, T85 series, M-series appliances (M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800), Firebox Cloud, Firebox NV5, FireboxV, and newer models including T115-W, T125, T125-W, T145, T145-W, and T185. Affected OS versions include Fireware OS 11.10.2 through 11.12.4_Update1, versions 12.0 through 12.11.3, and the 2025.1 release.

What configurations make WatchGuard devices vulnerable to this exploit?

WatchGuard Firebox devices are vulnerable if they are configured with mobile user VPN using IKEv2 protocol, branch office VPN using IKEv2 with dynamic gateway peers, or devices previously configured with either vulnerable VPN type (even if configurations have been deleted) when branch office VPN to static gateway peer remains active.

How can attackers exploit the WatchGuard CVE-2025-9242 vulnerability?

An attacker can exploit this vulnerability without any authentication by sending specially crafted data to a vulnerable WatchGuard device. This can lead to complete system compromise through arbitrary code execution on the affected firewall appliance.

What patches are available for the WatchGuard vulnerability?

WatchGuard has released patches for all affected product lines. Organizations should upgrade to Fireware OS 2025.1.1 for newer appliances, version 12.11.4 for most 12.x installations, version 12.5.13 specifically for T15 and T35 models, and version 12.3.1_Update3 (build B722811) for FIPS-certified deployments.

What should organizations do if they're running older WatchGuard 11.x versions?

WatchGuard has discontinued support for 11.x releases. Organizations running these older versions should migrate to supported versions or shut down these devices, as no patches are available for the discontinued 11.x versions.

Advisory

WatchGuard Firebox vulnerability allows remote code execution

Q: What is the urgency level for patching this WatchGuard vulnerability?

This is a critical vulnerability with a CVSS score of 9.3 that allows unauthenticated remote code execution. Organizations should immediately upgrade to the appropriate resolved versions as the vulnerability can lead to complete system compromise of firewall devices.

published: Sept. 17, 2025

Take action: If you're using WatchGuard Firebox firewalls, immediately upgrade to the latest patched versions (2025.1.1, 12.11.4, or appropriate version for your model) because your firewall has a vulnerability that can be attacked remotely. Isolating doesn't really help since these devices are designed to face the internet. If you're running unsupported 11.x versions, either migrate to supported firmware immediately or shut down these devices since no patches are available.

Learn More

WatchGuard Technologies has addressed a critical security vulnerability in its Firebox firewall appliances that allows attackers to execute arbitrary code on vulnerable systems.

This vulnerability is tracked as CVE-2025-9242 (CVSS score 9.3), is an out-of-bounds write flaw in the WatchGuard Fireware OS iked process. That process is responsible for handling IKE protocol operations used to establish secure VPN connections.

An attacker can exploit this flaw without any authentication by sending specially crafted data to a vulnerable device, leading to complete system compromise.

Affected devices

Fireware OS 11.10.2 up to and including 11.12.4_Update1, versions 12.0 up to and including 12.11.3, and the recent 2025.1 release.
WatchGuard Firebox models including T15, T20, T25, T35, T40, T45, T55, T70, T80, T85 series, as well as M-series appliances (M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800), Firebox Cloud, Firebox NV5, FireboxV, and newer models including T115-W, T125, T125-W, T145, T145-W, and T185.
WatchGuard Firebox devices configured with mobile user VPN using IKEv2 protocol
Firebox devices configured with branch office VPN using IKEv2 with dynamic gateway peers
Devices previously configured with either vulnerable VPN type, even if configurations have been deleted, when branch office VPN to static gateway peer remains active

WatchGuard has released patches for all affected product lines. Organizations should immediately upgrade to the appropriate resolved versions

Fireware OS 2025.1.1 for newer appliances, version 12.11.4 for most 12.x installations, version 12.5.13 specifically for T15 and T35 models, and version 12.3.1_Update3 (build B722811) for FIPS-certified deployments.
For organizations running older 11.x versions, WatchGuard has discontinued support for these releases. Organizations should migrate to to supported versions or shut down these devices.

Update - as of 16th of October 2025, WatchGuard has released a detailed analysis and PoC examples.

As of 20th of October, scans from The Shadowserver Foundation show that there are 75,835 vulnerable Firebox appliances across the world, mostly in Europe and North America. The United States has 24,500 endpoints, Germany 7,300, Italy 6,800, United Kingdom 5,400, Canada 4,100, and France 2,000.

WatchGuard Firebox vulnerability allows remote code execution

Read More
D-Link WiFi range extender vulnerability exposes DoS and …
Fully patched SonicWall SMA 100 devices targeted in …
VMware alerts customers to critical issues in Aria …
Ivanti patches another round of critical flaws in …
Zapier reports their code repositories breached, potentially accessed …