Active Exploitation of Critical WatchGuard Firebox Vulnerabilities
WatchGuard has confirmed that its Firebox firewall devices are being actively targeted due to a critical remote code execution vulnerability, CVE-2025-32978, which allows unauthenticated attackers to execute arbitrary commands remotely. The flaw resides in the Fireware OS Internet Key Exchange (IKE) service and can be exploited if the device is accessible over the internet, potentially giving attackers full control of the firewall. WatchGuard has released emergency patches and indicators of compromise, urging customers to update their firmware immediately or apply temporary workarounds if patching is not possible. The vulnerability affects configurations involving mobile user VPN with IKEv2 and branch office VPNs using IKEv2, even if some configurations have been deleted but others remain.
In response to evidence of active exploitation, CISA has added a WatchGuard Firebox vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, highlighting the significant risk such flaws pose to federal and enterprise networks. CISA's directive requires federal agencies to remediate these vulnerabilities by a set deadline and strongly encourages all organizations to prioritize patching to reduce exposure to cyberattacks. The inclusion in the KEV Catalog underscores the urgency for organizations to address these vulnerabilities as part of their ongoing vulnerability management practices.
Related Entities
Vulnerabilities
Threat Actors
Organizations
Sources
Related Stories
Critical WatchGuard Fireware Vulnerability Actively Exploited
A critical out-of-bounds write vulnerability, tracked as CVE-2025-9242, has been discovered in WatchGuard Fireware OS, affecting versions 11.10.2 through 11.12.4_Update1, 12.0 through 12.11.3, and 2025.1. This flaw allows remote, unauthenticated attackers to execute arbitrary code on vulnerable Firebox firewall devices by exploiting a missing length check during the IKE handshake process. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog following evidence of active exploitation, and has mandated that Federal Civilian Executive Branch (FCEB) agencies apply patches by December 3, 2025. As of mid-November, over 54,000 Firebox devices remain exposed globally, with the highest concentrations in the U.S., Italy, the U.K., Germany, and Canada. WatchGuard released patches for the vulnerability on September 17, 2025, but only confirmed active exploitation in late October. CISA has emphasized the significant risk posed by this flaw, urging all organizations—not just federal agencies—to prioritize patching due to the attractiveness of firewall devices as targets for threat actors. The vulnerability's exploitation path allows attackers to bypass authentication, as the vulnerable code is executed before certificate validation. Organizations unable to apply mitigations are advised to discontinue use of affected products to prevent compromise.
4 months agoCritical Remote Code Execution Vulnerability in WatchGuard Fireware OS VPN
A critical vulnerability, tracked as CVE-2025-9242, has been discovered in WatchGuard's Fireware OS, affecting a wide range of Firebox network security appliances. This flaw is an out-of-bounds write in the 'iked' process, which is responsible for handling IKEv2 VPN negotiations. The vulnerability allows remote attackers to execute arbitrary code on affected devices without authentication, posing a severe risk to organizations relying on these appliances for network security. The issue specifically impacts devices configured with mobile user VPNs or branch office VPNs using IKEv2 with dynamic gateway peers. Security researchers have demonstrated that attackers can exploit this bug by sending specially crafted IKEv2 packets during the IKE_SA_AUTH phase, triggering a buffer overflow in the ike2_ProcessPayload_CERT function. Once exploited, attackers can gain control of the instruction pointer, establish Python interactive shells over TCP, and escalate to a full Linux shell by remounting filesystems and deploying BusyBox binaries. The vulnerability has been assigned a CVSS score of 9.3, underscoring its critical nature. According to scans by The Shadowserver Foundation, nearly 76,000 Firebox appliances remain exposed and vulnerable on the public internet, with the highest concentrations in the United States, Germany, Italy, the United Kingdom, Canada, and France. Affected Fireware OS versions include 11.10.2 through 11.12.4_Update1, the entire 12.0 series up to 12.11.3, and the 2025.1 release, impacting both older and newer Firebox models. WatchGuard has released patches in versions 12.3.1_Update3, 12.5.13, 12.11.4, and 2025.1.1 to address the vulnerability. Devices running version 11.x are no longer supported and will not receive security updates, prompting the vendor to recommend upgrading to a supported version. For appliances configured only with Branch Office VPNs to static gateway peers, WatchGuard has provided documentation for securing connections as a temporary workaround. The vulnerability transforms trusted security appliances into potential entry points for attackers, threatening the integrity of network defenses. Organizations are urged to assess their Firebox deployments, prioritize patching, and review VPN configurations to mitigate the risk. The widespread exposure of vulnerable devices highlights the urgency of remediation efforts. WatchGuard's disclosure and the subsequent public scanning have brought significant attention to the issue, emphasizing the importance of timely patch management in network security infrastructure. Failure to address this vulnerability could result in unauthorized access, lateral movement, and compromise of sensitive internal networks. The incident serves as a stark reminder of the risks posed by critical flaws in security appliances and the need for continuous monitoring and rapid response.
4 months agoWatchGuard Firebox Zero-Day Exploited for Remote Code Execution
A critical zero-day vulnerability, identified as CVE-2025-14733, has been discovered in WatchGuard Firebox firewalls, allowing remote unauthenticated attackers to execute arbitrary code. The flaw, rated with a CVSS score of 9.3, resides in the `iked` process responsible for handling IKEv2 VPN connections, specifically affecting both Mobile User VPN and Branch Office VPN configurations. Attackers can exploit this out-of-bounds write vulnerability by sending specially crafted requests, potentially leading to full device compromise and firewall hijacking. WatchGuard has confirmed active exploitation of this vulnerability in the wild, with threat actors targeting exposed devices. Indicators of compromise include suspicious IP addresses, unusually large certificate payloads in IKE_AUTH requests, long certificate chains, and unexpected crashes of the `iked` process. Administrators are urged to apply the latest security updates immediately and review their logs for signs of compromise. The vulnerability affects Fireware OS versions 11.10.2 through 11.12.4_Update1, 12.0 through 12.11.5, and 2025.1 through 2025.1.3.
2 months ago