WatchGuard Issues Fix for 9.3-Rated Firebox Firewall Vulnerability

WatchGuard has released security updates to fix a high-risk vulnerability in its Firebox firewalls. This issue, CVE-2025-9242, could allow a remote attacker to take control of a device. The company is urging all users to update their systems right away to avoid potential attacks.

This vulnerability is what’s known as an ‘out-of-bounds write’ weakness. Think of a computer’s memory as a series of boxes. An out-of-bounds write happens when a program tries to put data into a box it’s not supposed to, which can mess up the system.

In Firebox’s case, it could let a hacker run their own malicious code on the firewall without needing to be an authenticated user. This type of flaw is very serious because firewalls are meant to protect networks from outside threats. That’s why the issue has been given a high-risk score of 9.3 out of 10.

The problem affects a wide range of devices. This vulnerability affects Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3 and 2025.1. While the vulnerability is only present if a user had previously set up a certain type of VPN (Virtual Private Network) called IKEv2, WatchGuard says even if those settings were deleted, the device could still be at risk.

As WatchGuard stated in its advisory, “An Out-of-bounds Write vulnerability in the WatchGuard Fireware OS iked process may allow a remote unauthenticated attacker to execute arbitrary code.”

The affected products include the Firebox T15 and T35 models running Fireware OS 12.5.x, as well as numerous other models in the T, M, and Firebox Cloud series that run Fireware OS 12.x and 2025.1.x.

Although there have been no known attacks using this weakness, the risk is real. Attackers often target firewalls because they are a key entry point to a network.

WatchGuard has already released fixes for this problem in several software updates, including versions 12.3.1_Update3, 12.5.13, 12.11.4, and 2025.1.1. If you own a WatchGuard Firebox, you should check your device’s software version and install the latest update immediately. For users who can’t update right away, WatchGuard recommends a temporary fix by limiting how traffic can get to the VPN.

The company recognised a researcher named “btaol” for finding and reporting this issue.

Several cybersecurity experts weighed in on the seriousness of the issue and shared their thoughts with Hackread.com.

David Matalon, CEO at Venn, called the flaw a “reminder of just how much trust organisations place in perimeter defences.” He added that a layered approach is “critical to limiting the blast radius when vulnerabilities inevitably emerge.”

Mayuresh Dani, Security Research Manager at Qualys Threat Research Unit, highlighted the vulnerability’s persistence, noting that “even if vulnerable VPN configurations have been deleted, systems remain at risk.”

He also pointed out that, according to threat reports, many exploited vulnerabilities in 2025 affected “edge security and gateway products” because they offer an easy way for attackers to get into an organisation.

Frankie Sclafani, Director of Cybersecurity Enablement at Deepwatch, described the CVSS 9.3 score as “the cyber equivalent of a five-alarm fire.” He stressed that for an attacker, “compromising the firewall is the ultimate tactical win,” as it offers a perfect entry point into a network.