Critical WatchGuard Firebox VPN vulnerability patched

On September 17, 2025, WatchGuard issued a security advisory disclosing CVE-2025-9242, a critical vulnerability in its Firebox firewall appliances running Fireware OS. WatchGuard released patches in Fireware OS versions:

• 12.3.1_Update3 (B722811)
• 12.5.13
• 12.11.4, and
• 2025.1.1

The vulnerability affects Fireware OS versions 11.x (end-of-life), 12.x, and 2025.1, and is described as an out-of-bounds write condition. It could allow remote execution of malicious code and was rated with a Common Vulnerability Scoring System (CVSS) score of 9.3 out of 10.

The issue is in the Internet Key Exchange version 2 (IKEv2) VPN component. Specifically, it’s within the IKED process, a daemon that implements the IKEv2 protocol to establish and maintain secure Internet Protocol Security (IPSec) tunnels. Devices are vulnerable if configured with either mobile user VPN or branch office VPN using IKEv2 with a dynamic gateway peer. Notably, even if these configurations have been deleted, systems may remain exposed if a branch office VPN to a static gateway peer is still active.

As of September 18, 2025, CVE-2025-9242 has no observed public proof-of-concept (PoC) exploit, or indications of exploitation. However, WatchGuard has emphasized the urgency of patching, citing the attractiveness of firewall vulnerabilities to threat actors.

WatchGuard has provided a workaround for organizations unable to immediately apply patches. This includes disabling dynamic peer branch office VPNs, implementing new firewall policies, and disabling default system policies that handle VPN traffic. Detailed instructions are available in WatchGuard’s support documentation on securing access to branch office VPNs using IPSec and IKEv2.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Analyst insight

WatchGuard devices were previously targeted in a 2022 campaign, which was attributed to Russian state actors exploiting an earlier flaw in Firebox and XTM appliances.

Given the nature of this flaw and the critical rating, its exploitation could lead to a full compromise of affected firewall devices, lateral movement, and potential deployment of ransomware. Vulnerabilities in VPN gateways are often exploited within days of disclosure.

We recommend assessing exposure immediately: prioritize patching across all Firebox deployments and validate VPN configurations. Even legacy or previously removed settings may leave systems vulnerable.

To prevent exploitation of VPN vulnerabilities, organizations should ensure timely updates across all firewall and VPN appliances, disable unused or legacy VPN configurations, and enforce multi-factor authentication for remote access.

Reducing exposed services, segmenting network access, and applying least privilege principles can limit lateral movement in case of compromise.

Having a tested incident response plan tailored to VPN compromise scenarios ensures rapid containment and recovery when an intrusion happens.

Field Effect MDR ensures continuous monitoring of VPN logs and traffic for anomalies, combined with alerts on vulnerable systems and configurations, helping detect early signs of intrusion.