{"id":3307,"date":"2025-10-21T12:01:40","date_gmt":"2025-10-21T12:01:40","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2025\/10\/21\/critical-watchguard-fireware-os-flaw-enables-remote-code-execution\/"},"modified":"2025-10-21T12:01:40","modified_gmt":"2025-10-21T12:01:40","slug":"critical-watchguard-fireware-os-flaw-enables-remote-code-execution","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/10\/21\/critical-watchguard-fireware-os-flaw-enables-remote-code-execution\/","title":{"rendered":"Critical WatchGuard Fireware OS Flaw Enables Remote Code Execution"},"content":{"rendered":"
\n

A critical vulnerability (CVSS4.0 9.3) in\u00a0WatchGuard Fireware OS\u00a0has been identified that could allow a threat actor to remotely execute arbitrary code.\u00a0<\/p>\n

The bug, tracked as CVE-2025-9242, is an out-of-bounds write vulnerability affecting mobile user VPN with IKEv2 and the branch office VPN (BOVPN) using IKEv2 when configured with a dynamic gateway peer.<\/p>\n

The WatchGuard advisory noted that if the Firebox security platform was previously configured with the above VPN and IKEv2 gateway peers it could still be vulnerable.<\/p>\n

The vulnerability affects Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3 and 2025.1.<\/p>\n

WatchGuard\u2019s Firebox is a next-generation firewall (NGFW) that acts as a security gateway, controlling traffic between external and trusted networks, and includes advanced features like intrusion prevention, anti-spam and content filtering.<\/p>\n

It can be deployed as a physical appliance, in the cloud or as a virtual machine.<\/p>\n

The Shadowserver foundation noted that based on IP data scans, there could be over 71,000 vulnerable devices as of October 17.<\/p>\n

Details on the vulnerability are now available on the US National Vulnerability Database (NVD) and WatchGuard has also published a security advisory.<\/p>\n

If the Firebox is only configured with Branch Office VPN tunnels to static gateway peers and the owner is not able to immediately upgrade the device to a version of Fireware OS with the vulnerability resolution, WatchGuard has provided recommendations for a temporary workaround.<\/p>\n

In its advisory, WatchGuard noted that it recommends BOVPN secure access policies are configured with a narrower scope to handle incoming VPN traffic, due to increasing attacks against exposed VPNs that target a wide range of vendors.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

A critical vulnerability (CVSS4.0 9.3) in\u00a0WatchGuard Fireware OS\u00a0has been identified that could allow a threat actor to remotely execute arbitrary code.\u00a0 The bug, tracked as CVE-2025-9242, is an out-of-bounds write vulnerability affecting mobile user VPN with IKEv2 and the branch office VPN (BOVPN) using IKEv2 when configured with a dynamic gateway peer. The WatchGuard advisory<\/p>\n","protected":false},"author":2,"featured_media":3308,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3307","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3307-5142af50-862a-4e38-a530-eeef37223db6.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3307-5142af50-862a-4e38-a530-eeef37223db6-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3307-5142af50-862a-4e38-a530-eeef37223db6.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3307-5142af50-862a-4e38-a530-eeef37223db6.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3307-5142af50-862a-4e38-a530-eeef37223db6.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3307-5142af50-862a-4e38-a530-eeef37223db6.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3307-5142af50-862a-4e38-a530-eeef37223db6.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3307-5142af50-862a-4e38-a530-eeef37223db6.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3307-5142af50-862a-4e38-a530-eeef37223db6.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3307-5142af50-862a-4e38-a530-eeef37223db6.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3307-5142af50-862a-4e38-a530-eeef37223db6-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3307","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=3307"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3307\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/3308"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=3307"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=3307"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=3307"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}