Wiz
Base de datos de vulnerabilidadesCVE-2025-9242

CVE-2025-9242
WatchGuard Firebox Análisis y mitigación de vulnerabilidades

Vista general

A critical out-of-bounds write vulnerability (CVE-2025-9242) was discovered in WatchGuard Fireware OS's iked process, affecting Firebox firewall appliances. The vulnerability, disclosed on September 17, 2025, allows remote unauthenticated attackers to execute arbitrary code. It impacts both mobile user VPN with IKEv2 and branch office VPN using IKEv2 when configured with a dynamic gateway peer. The affected versions include Fireware OS 11.10.2 up to 11.12.4_Update1, 12.0 up to 12.11.3, and 2025.1. The vulnerability received a critical CVSS v4 score of 9.3 (WatchGuard Advisory, Arctic Wolf).

Técnicas

The vulnerability is classified as an out-of-bounds write (CWE-787) in the iked process of WatchGuard Fireware OS. Systems may remain vulnerable even if mobile user VPNs with IKEv2 or branch office VPNs to dynamic gateways have been deleted, particularly if a branch office VPN to a static gateway remains configured. The critical severity is reflected in its CVSS v4 score of 9.3 with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (WatchGuard Advisory).

Impacto

The vulnerability poses a significant security risk as it allows unauthenticated remote attackers to execute arbitrary code on affected Firebox devices. Firewalls are considered high-value assets for threat actors, making this vulnerability particularly concerning. The impact is heightened by the fact that previously configured and deleted VPN settings may still leave systems vulnerable (Arctic Wolf).

Mitigación y soluciones alternativas

WatchGuard has released fixed versions: 2025.1.1, 12.11.4, 12.5.13 (for T15 & T35 models), and 12.3.1_Update3 (B722811) for FIPS-certified release. For users unable to immediately upgrade, WatchGuard provides a temporary workaround following their guidance for Secure Access to Branch Office VPNs that Use IPSec and IKEv2, applicable only when the Firebox is configured solely with branch office VPN tunnels to static gateway peers. Note that Fireware OS 11.x is in End of Life status and no patches are available (WatchGuard Advisory, Arctic Wolf).

Recursos adicionales

FuenteEste informe se generó utilizando IA

Relacionado WatchGuard Firebox Vulnerabilidades:

CVE ID

Severidad

Puntuación

Tecnologías

Nombre del componente

Exploit de CISA KEV

Tiene arreglo

Fecha de publicación

CVE-2022-31789CRITICAL9.8
  • WatchGuard FireboxWatchGuard Firebox
  • cpe:2.3:o:watchguard:fireware
NoSep 06, 2022
CVE-2025-9242CRITICAL9.3
  • WatchGuard FireboxWatchGuard Firebox
  • cpe:2.3:o:watchguard:fireware
NoSep 17, 2025
CVE-2022-31791HIGH7.8
  • WatchGuard FireboxWatchGuard Firebox
  • cpe:2.3:o:watchguard:fireware
NoSep 06, 2022
CVE-2024-5974HIGH7.2
  • WatchGuard FireboxWatchGuard Firebox
  • cpe:2.3:o:watchguard:fireware
NoJul 09, 2024
CVE-2022-31792MEDIUM5.4
  • WatchGuard FireboxWatchGuard Firebox
  • cpe:2.3:o:watchguard:fireware
NoSep 06, 2022

Evaluación gratuita de vulnerabilidades

Compare su postura de seguridad en la nube

Evalúe sus prácticas de seguridad en la nube en 9 dominios de seguridad para comparar su nivel de riesgo e identificar brechas en sus defensas.

Solicitar evaluación

Recursos adicionales de Wiz

Obtén una demostración personalizada

¿Listo para ver a Wiz en acción?

"La mejor experiencia de usuario que he visto en mi vida, proporciona una visibilidad completa de las cargas de trabajo en la nube."
David EstlickCISO
"Wiz proporciona un panel único para ver lo que ocurre en nuestros entornos en la nube."
Adam FletcherJefe de Seguridad
"Sabemos que si Wiz identifica algo como crítico, en realidad lo es."
Greg PoniatowskiJefe de Gestión de Amenazas y Vulnerabilidades
Solicita una demo