WatchGuard Fireware OS Vulnerabilities in Firebox Appliances
WatchGuard published security advisories for multiple Fireware OS vulnerabilities affecting Firebox appliances and related deployments, and the Canadian Centre for Cyber Security urged organizations to apply updates. The issues include an out-of-bounds write that could allow a privileged, authenticated administrator to achieve root-level arbitrary code execution via an exposed management interface (CVE-2026-3342), and a filesystem integrity check bypass that could allow an attacker to maintain limited persistence by using a maliciously crafted firmware update package (CVE-2026-3344). A separate advisory also notes a reflected XSS issue in the Fireware Web UI (CVE-2026-3343).
Affected versions span multiple Fireware OS branches, including 12.0–12.11.7, 12.5.9–12.5.16 (T15/T35 models), and 2025.1–2026.1.1, with additional impact noted for 11.x in the out-of-bounds write advisory (11.x is end-of-life). WatchGuard’s fixes are available in 12.11.8, 12.5.17, and 2026.1.2 (depending on branch/model), and no workaround was listed for the integrity-check bypass or out-of-bounds write issues; organizations should prioritize patching and ensure management interfaces are not unnecessarily exposed.
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
Critical WatchGuard Fireware Vulnerability Actively Exploited
A critical out-of-bounds write vulnerability, tracked as CVE-2025-9242, has been discovered in WatchGuard Fireware OS, affecting versions 11.10.2 through 11.12.4_Update1, 12.0 through 12.11.3, and 2025.1. This flaw allows remote, unauthenticated attackers to execute arbitrary code on vulnerable Firebox firewall devices by exploiting a missing length check during the IKE handshake process. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog following evidence of active exploitation, and has mandated that Federal Civilian Executive Branch (FCEB) agencies apply patches by December 3, 2025. As of mid-November, over 54,000 Firebox devices remain exposed globally, with the highest concentrations in the U.S., Italy, the U.K., Germany, and Canada. WatchGuard released patches for the vulnerability on September 17, 2025, but only confirmed active exploitation in late October. CISA has emphasized the significant risk posed by this flaw, urging all organizations—not just federal agencies—to prioritize patching due to the attractiveness of firewall devices as targets for threat actors. The vulnerability's exploitation path allows attackers to bypass authentication, as the vulnerable code is executed before certificate validation. Organizations unable to apply mitigations are advised to discontinue use of affected products to prevent compromise.
4 months agoCritical Remote Code Execution Vulnerability in WatchGuard Fireware OS VPN
A critical vulnerability, tracked as CVE-2025-9242, has been discovered in WatchGuard's Fireware OS, affecting a wide range of Firebox network security appliances. This flaw is an out-of-bounds write in the 'iked' process, which is responsible for handling IKEv2 VPN negotiations. The vulnerability allows remote attackers to execute arbitrary code on affected devices without authentication, posing a severe risk to organizations relying on these appliances for network security. The issue specifically impacts devices configured with mobile user VPNs or branch office VPNs using IKEv2 with dynamic gateway peers. Security researchers have demonstrated that attackers can exploit this bug by sending specially crafted IKEv2 packets during the IKE_SA_AUTH phase, triggering a buffer overflow in the ike2_ProcessPayload_CERT function. Once exploited, attackers can gain control of the instruction pointer, establish Python interactive shells over TCP, and escalate to a full Linux shell by remounting filesystems and deploying BusyBox binaries. The vulnerability has been assigned a CVSS score of 9.3, underscoring its critical nature. According to scans by The Shadowserver Foundation, nearly 76,000 Firebox appliances remain exposed and vulnerable on the public internet, with the highest concentrations in the United States, Germany, Italy, the United Kingdom, Canada, and France. Affected Fireware OS versions include 11.10.2 through 11.12.4_Update1, the entire 12.0 series up to 12.11.3, and the 2025.1 release, impacting both older and newer Firebox models. WatchGuard has released patches in versions 12.3.1_Update3, 12.5.13, 12.11.4, and 2025.1.1 to address the vulnerability. Devices running version 11.x are no longer supported and will not receive security updates, prompting the vendor to recommend upgrading to a supported version. For appliances configured only with Branch Office VPNs to static gateway peers, WatchGuard has provided documentation for securing connections as a temporary workaround. The vulnerability transforms trusted security appliances into potential entry points for attackers, threatening the integrity of network defenses. Organizations are urged to assess their Firebox deployments, prioritize patching, and review VPN configurations to mitigate the risk. The widespread exposure of vulnerable devices highlights the urgency of remediation efforts. WatchGuard's disclosure and the subsequent public scanning have brought significant attention to the issue, emphasizing the importance of timely patch management in network security infrastructure. Failure to address this vulnerability could result in unauthorized access, lateral movement, and compromise of sensitive internal networks. The incident serves as a stark reminder of the risks posed by critical flaws in security appliances and the need for continuous monitoring and rapid response.
4 months agoWatchGuard Firebox Zero-Day Exploited for Remote Code Execution
A critical zero-day vulnerability, identified as CVE-2025-14733, has been discovered in WatchGuard Firebox firewalls, allowing remote unauthenticated attackers to execute arbitrary code. The flaw, rated with a CVSS score of 9.3, resides in the `iked` process responsible for handling IKEv2 VPN connections, specifically affecting both Mobile User VPN and Branch Office VPN configurations. Attackers can exploit this out-of-bounds write vulnerability by sending specially crafted requests, potentially leading to full device compromise and firewall hijacking. WatchGuard has confirmed active exploitation of this vulnerability in the wild, with threat actors targeting exposed devices. Indicators of compromise include suspicious IP addresses, unusually large certificate payloads in IKE_AUTH requests, long certificate chains, and unexpected crashes of the `iked` process. Administrators are urged to apply the latest security updates immediately and review their logs for signs of compromise. The vulnerability affects Fireware OS versions 11.10.2 through 11.12.4_Update1, 12.0 through 12.11.5, and 2025.1 through 2025.1.3.
2 months ago