- Watchguard has corrected a critical VPN vulnerability allowing the execution of the remote code on firebox firewalls
- The CVE-2025-9242 affects the dynamic configurations of the peers of the bridge, even after the deletion in certain cases
- No exploitation still observed, but delayed patchage leaves the systems exposed to future targeted attacks
Watchguard has corrected a vulnerability of critical severity affecting its firewall firewalls and urges users to apply the newly released fix without hesitation.
In a security notice, the company said it was addressed to an out -of -limited writing vulnerability in the Watchguard Fireware OS Iked process, which “can allow an unauthentic distant attacker to execute arbitrary code”.
Vulnerability would have affected both the mobile user VPN with IKEV2 and the branch VPN using IKEV2, when configured with a dynamic gateway peer. In addition, if the Firebox was previously configured with the mobile user VPN with IKEV2 or a branch VPN using IKEV2 to a dynamic gateway counterpart, and that the two configurations were deleted later, the Firebox can always be vulnerable “if a branch office VPN to a static gateway peer is always configured”.
Bypass
Vulnerability is now followed under the name of CVE-2025-9242 and has received a 9.2 / 10 (critical) gravity score. He affects firewalls performing fireworks 11.x (end of life), 12.x and 2025.1. The first clean version is 12.3.1_update3 (B722811), 12.5.13, 12.11.4 and 2025.1.1.
Those who are unable to apply the fix can immediately deploy a bypass solution which includes the deactivation of peer dynamic BOVPNs, the addition of new firewall policies and the deactivation of default system policies that manage VPN traffic.
So far, there has been no evidence of abuse in nature.
However, many criminals are only starting to hunt vulnerabilities after the release of a corrective, knowing that organizations rarely come closer and often maintain their systems exposed for longer periods.
For example, at the beginning of 2025, threat actors exploited a vulnerability of Fortinet Fortigate, followed as CVE-2022-42475, more than a year after its disclosure.
Despite the available fixes, many devices have remained exposed, while the attackers used symbolic links to maintain stealth access, extraction identification information and configuration data.
Via Bleeping Compompute
