Article illustration 1

Network administrators are scrambling to patch critical infrastructure after WatchGuard disclosed a severe remote code execution (RCE) vulnerability in its Firebox firewall series. Tracked as CVE-2025-9242, this flaw stems from an out-of-bounds write weakness in the iked process—the component managing IKEv2 VPN connections. Successful exploitation could grant unauthenticated attackers full control over vulnerable devices, effectively turning network gateways into entry points for enterprise breaches.

The Vulnerability’s Unusual Persistence

What makes CVE-2025-9242 particularly concerning is its lingering threat potential. Firewalls remain vulnerable even if administrators deleted IKEv2 configurations in the past, provided a branch office VPN (BOVPN) to a static gateway peer still exists. WatchGuard's advisory specifies two exploitation scenarios:

"This vulnerability affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer. If the Firebox was previously configured with these and later deleted, it may still be vulnerable if a branch office VPN to a static gateway peer is configured."

Affected Products and Patching Urgency

The flaw impacts Firebox appliances running:
- Fireware OS 11.x (EoL)
- Fireware OS 12.x
- Fireware OS 2025.1.x

Patched versions include 12.3.1_Update3 (B722811), 12.5.13, 12.11.4, and 2025.1.1. High-risk models span T-series, M-series, Firebox Cloud, and NV5/V appliances—devices commonly deployed in SMB and enterprise edge networks. For organizations unable to patch immediately, WatchGuard published detailed workarounds involving firewall policy adjustments and disabling dynamic peer BOVPNs.

Why Firewalls Are Prime Targets

Though no in-the-wild exploits are confirmed yet, threat actors consistently prioritize firewall vulnerabilities. The Akira ransomware gang recently weaponized CVE-2024-40766 in SonicWall appliances, while CISA mandated patches for WatchGuard flaws in 2022 after active exploitation. Firewalls offer unparalleled network visibility and control—compromising one often bypasses layered defenses.

With WatchGuard protecting over 250,000 organizations via 17,000 partners, unpatched devices represent a systemic risk. As ransomware groups refine their appliance-targeting playbooks, delaying updates invites catastrophe. This vulnerability underscores a brutal truth: in modern network security, the guardians themselves are battlegrounds.

Source: BleepingComputer