21.10.2025
2 min
539
More than 75,000 WatchGuard Firebox firewalls worldwide remain vulnerable to a critical vulnerability, CVE-2025-9242, that could allow attackers to remotely execute arbitrary code without authentication. Despite a patch released by the vendor, tens of thousands of devices are still connected to networks with known exploit risks. According to the latest scan by The Shadowserver Foundation, 75,835 WatchGuard Firebox devices that are exposed to the public internet remain vulnerable. The largest number of such systems are located in the United States (24,500), Germany (7,300), Italy (6,800), the United Kingdom (5,400), Canada (4,100), and France (2,000).
The vulnerability, CVE-2025-9242, rated at 9.3 CVSS points, was disclosed on September 17, 2025. It concerns the iked process in the Fireware OS firmware, which is responsible for establishing IKEv2 VPN connections.
The error is of the out-of-bounds write type — that is, writing data outside the allocated memory. This allows an attacker to gain complete control over the device by sending specially crafted IKEv2 packets without any authentication.
The issue affects versions:
11.10.2 – 11.12.4_Update1
12.0 – 12.11.3
2025.1
The manufacturer recommends that you urgently update to secure versions:
2025.1.1
12.11.4
12.5.13
12.3.1_Update3 (B722811)
It is worth noting that version 11.x is no longer supported, so users are advised to switch to current Fireware OS builds.
For those using Branch Office VPN with static gateways, WatchGuard has offered a temporary workaround — configuring IPSec and IKEv2 connections according to internal documentation.
WatchGuard Firebox is a series of enterprise security appliances that act as a central security node between internal and external networks, providing traffic control, VPN connections, security policies, and real-time analytics through the WatchGuard Cloud. Experts say that such a large number of unpatched systems indicate systemic problems with update management in the corporate sector. Vulnerabilities like CVE-2025-9242 are especially dangerous for small and medium-sized business networks, as Firebox devices are often used as a single point of defense at the network perimeter.
Although active exploitation has not yet been recorded, researchers warn that such vulnerabilities quickly find their way into the arsenal of cybercriminals, including ransomware operators. The WatchGuard Firebox incident shows that mass ignoring of security updates can turn even the most reliable devices into a potential attack vector. Experts advise administrators to immediately check Fireware OS versions and update them to safe builds before the vulnerability is actively exploited.
