- CVE-2025-9242 allows unauthenticated remote code execution on WatchGuard Fireware devices
- Vulnerability affects VPN configurations using IKEv2 with dynamic gateway peers
- Businesses should patch affected versions and restrict internet access to essential devices only
WatchGuard Fireware, the operating system powering much of WatchGuard’s software, carried a critical severity vulnerability that allowed threat actors to execute arbitrary code remotely and essentially take over compromised devices, the company has warned.
The vulnerability is tracked as CVE-2025-9242, and was given a severity score of 9.3/10 (critical). It is described as an out-of-bounds write vulnerability that allows unauthenticated entities to execute arbitrary code.
“This vulnerability affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer,” WatchGuard explained in a recent security advisory.
Music to ransomware gangs’ ears
Versions 11.10.2 to 11.12.4_Update 1 were said to be affected, as well as versions 12.0 – 12.11.3 and 2025.1. FireGuard released patches, addressing the flaw in these versions:
2025.1 – Fixed in 2025.1.1
12.x – Fixed in 12.11.4
12.3.1 (FIPS-certified release) – Fixed in 12.3.1_Update3 (B722811)
12.5.x (T15 & T35 models) – Fixed in 12.5.13)
11.x – Reached end-of-life
In their analysis of the flaw, security researchers watchTowr described it as having “all the characteristics your friendly neighborhood ransomware gangs love to see” – it was found in an internet-connected device, can be exploited without authentication, and allows for remote malicious code execution.
Ransomware operators love targeting firewalls and routers since these serve as gateways for most internet traffic on a network.
They also focus on file servers and domain controllers, since encrypting them disrupts many users, as well as remote-access services like RDP, VPN gateways and exposed management ports of firewalls, backups, cloud storage and accounts, and network-attached storage (NAS).
To remain secure, businesses should limit internet access to only essential devices, keeping all others on the local network. They should also make sure all the software and hardware is updated, and that their employees are aware of the latest phishing and social engineering techniques.
Via The Hacker News
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
Add Comment