418/68 Wednesday, October 22, 2025
Researchers from The Shadowserver Foundation have discovered that more than 75,835 WatchGuard Firebox devices exposed to the internet worldwide are vulnerable to a critical flaw tracked as CVE-2025-9242 (CVSS 9.3). This vulnerability could allow remote code execution without authentication. The majority of exposed devices are located in Europe and North America, with the highest numbers found in the United States (24,500), Germany (7,300), Italy (6,800), the United Kingdom (5,400), Canada (4,100), and France (2,000).
The flaw resides in the Fireware OS iked process, which manages IKEv2 VPN. If an attacker sends a specially crafted packet to a Firebox with Dynamic Gateway Peers enabled, the system writes data to an invalid memory location, potentially allowing arbitrary code execution. Impacted versions include Fireware OS 11.10.2 – 11.12.4_Update1, 12.0 – 12.11.3, and 2025.1.
WatchGuard has already released patches in versions 2025.1.1, 12.11.4, 12.5.13, and 12.3.1_Update3 (B722811). However, 11.x versions are End of Support (EOS) and will not receive further updates, requiring users to upgrade immediately. For those using Branch Office VPN with Static Gateway Peers, WatchGuard recommends applying IPSec/IKEv2 configuration best practices as a temporary mitigation.
Although there is no evidence of exploitation in the wild yet, security experts warn that the sheer number of exposed devices makes this vulnerability a critical global security risk. Organizations are strongly urged to apply the patches as soon as possible to prevent potential compromise.
