CVE-2025-9242: 
WatchGuard Firebox vulnerability analysis and mitigation

A critical out-of-bounds write vulnerability (CVE-2025-9242) was discovered in WatchGuard Fireware OS's iked process. The vulnerability, assigned a CVSS v4 score of 9.3, allows remote unauthenticated attackers to execute arbitrary code on vulnerable Firebox firewall appliances. The flaw affects Fireware OS versions 11.10.2 through 11.12.4_Update1, 12.0 through 12.11.3, and version 2025.1 (WatchGuard Advisory, Arctic Wolf).

The vulnerability exists in the iked process of WatchGuard Fireware OS and affects systems configured for mobile user VPN with IKEv2 or branch office VPN using IKEv2 when set up with a dynamic gateway peer. Notably, even if these configurations have been deleted, systems may remain vulnerable if a branch office VPN to a static gateway peer is still configured. The vulnerability has been assigned a critical CVSS v4 score of 9.3, indicating its severe nature (SecurityOnline, WatchGuard Advisory).

If successfully exploited, the vulnerability allows remote unauthenticated attackers to execute arbitrary code on affected Firebox devices. This poses a significant risk as firewalls are considered high-value assets for threat actors. The vulnerability affects a wide range of Firebox models, including T-series, M-series, Firebox Cloud, and FireboxV appliances (Bleeping Computer).

WatchGuard has released fixed versions: 2025.1.1, 12.11.4, 12.5.13 (for T15 & T35 models), and 12.3.1_Update3 (B722811) for FIPS-certified release. For users unable to immediately upgrade, WatchGuard provides a temporary workaround for devices configured only with Branch Office VPN tunnels to static gateway peers. This involves following WatchGuard's recommendations for Secure Access to Branch Office VPNs that use IPSec and IKEv2 (WatchGuard Advisory, Bleeping Computer).