WatchGuard VPN Flaw Gives Hackers Full Firewall Control

Image: Unsplash

Security researchers just pulled the fire alarm on WatchGuard’s firewall stack.
A critical bug in Fireware lets remote attackers execute code without logging in, turning a trusted security appliance into an open door.

Security researchers just pulled the fire alarm on WatchGuard’s firewall stack.

A critical bug in Fireware lets remote attackers execute code without logging in, turning a trusted security appliance into an open door.

The flaw, tracked as CVE-2025-9242, is an out-of-bounds write in specific Fireware OS versions. It hits mobile user VPNs with IKEv2 and branch office VPNs using IKEv2 when dynamic gateway peers are in play. Simple setup, high stakes.

Here’s how cybercriminals could exploit this weakness

It comes down to a coding mistake in the iked process that handles VPN handshakes. The bug lives in the ike2_ProcessPayload_CERT function, which copies client identification into a stack buffer without checking length. During the IKE_SA_AUTH phase, attackers can force a buffer overflow and take it from there.

What happens next is the ugly part. Attackers grab control of the instruction pointer, then spin up Python interactive shells over TCP. With that foothold, they pivot to a full Linux shell by remounting filesystems as read or write and pulling down BusyBox binaries. The CVSS score clocks in at 9.3, which says it all.

Is your firewall vulnerable right now?

A wide swath of Firebox gear is exposed. Multiple Fireware OS lines are affected, including 11.10.2 through 11.12.4_Update1, the entire 12.0 series up to 12.11.3, and the 2025.1 release. Devices range from T15 and T35 models on Fireware OS 12.5.x to newer T115-W, T125, and T185 units on Fireware OS 2025.1.x.

There are fixes. WatchGuard shipped patches in 12.3.1_Update3, 12.5.13, 12.11.4, and 2025.1.1. If you run any affected Firebox, upgrade to a patched release immediately. One more gotcha, even if you deleted vulnerable IKEv2 VPN configs, you might still be exposed if branch office VPNs to static gateway peers are still active.

Update now. Threat actors love going after firewalls because they sit at the front door. If patching has to wait, WatchGuard offers stopgap steps like disabling dynamic peer VPNs and tightening firewall policies.

Security experts strongly urge users to apply these updates without delay. Every hour you wait raises the odds of a full network compromise. This one deserves a same-day fix.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts