- WatchGuard patched a critical VPN — value that allows the execution of remote code at Firebox Firewalls
- CVE-2025-9242 affects dynamic gateway-peer configurations even after removal in some cases
- No utilization seen yet but delayed patching leaf systems exposed to future targeted attacks
WatchGuard has established a vulnerability of critical severity that affects its Firebox Firewalls and encourages users to use the newly released patch without hesitation.
In a security advice, the company said it addressed a discrepating writing of vulnerability in the WatchGuard FireWare OS IKED process, which “can allow a remote unauthorized striker to perform arbitrary code”.
It is said that the vulnerability affects both the mobile uses VPN with IKEV2 and the VPN branch office using IKEV2 when configured with a dynamic gateway pepper. If the firebox was previously configured with the mobile user VPN with IKEV2 or a branch office VPN using IKEV2 for a dynamic gateway pepper and both configurations were subsequently removed, Firebox could still be vulnerable “If a branch office VPN for a static gateway -peer is still configured”.
Solution
Vulnerability is now traced as CVE-2025-9242 and got a severity of 9.2/10 (critical). It affects firewalls running Fireware OS 11.x (end of life), 12.x and 2025.1. The first pure version is 12.3.1_UPDATE3 (B722811), 12.5.13, 12.11.4 and 2025.1.1.
Those who are unable to use the correction can immediately insert a solution that includes deactivation of dynamic peer bovpns, addition of new firewall policies and deactivation of the standard system policies that handle VPN traffic.
So far, there has been no evidence of abuse in nature.
However, many criminals only begin to hunt for vulnerabilities after a patch is released, knowing that organizations rarely patch on time and often keep their systems postponed for extended periods.
For example, by the beginning of 2025, threat actors utilized a tiny Fortigate vulnerability traced as CVE-2022-42475, more than a year after its disclosure.
Despite available patches, many devices remained exposed, while attackers used symbolic links to maintain stealthy access, extract credentials and configuration data.
Via Bleeping computer
