WatchGuard has patched a dangerous branch office and mobile VPN configuration vulnerability affecting nearly three dozen models of its current and legacy Firebox firewall systems.
However, the update comes with an important caveat: some customers could still be at risk, even if they are no longer using vulnerable VPN configurations.
Normally, the story with a flaw is the guts of the vulnerability itself, what attackers could achieve if they exploited it, and whether it is being exploited in advance of a patch.
With CVE-2025-9242, it’s slightly more complicated. The good news is that there is no evidence of exploitation, although the advice is to patch as soon as possible. The job for admins, however, is to work out whether a system is affected or not, which might prove harder than it appears in some cases. Other environments might have to consider workarounds.
The vulnerability
The product advisory described the issue as an “iked out of bounds write vulnerability.” This makes possible a remote code exploit (RCE) through which the attackers could remotely bypass authentication as part of a compromise.
The “iked” term is a reference to Internet Key Exchange v2 (IKEv2). Attackers exploiting the flaw would target the vulnerable IKE daemon using a crafted attack through VPN ports UDP 500 or UDP 4500. CVE-2025-9242 has a CVSS score of 9.3, or ‘critical’, which makes patching urgent.
Who is affected?
A list of the nearly three dozen firewall models affected by CVE-2025-9242 is available from WatchGuard’s website. The vulnerable versions of the Fireware OS are 2025.1, 12.x, 12.5.x (T15 & T35 models), 12.3.1 (FIPS-certified release), and 11.x (end of life). These are addressed (in the same order) by updating to versions 2025.1.1, 12.11.4, 12.5.13, and 12.3.1_Update3 (B722811).
Although all customers should update, those specifically affected are in the following camp: “This vulnerability affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer,” said the advisory.
However, the company warned that customers who had used their firewall VPNs in this way in the past, but no longer do so, could also be affected:
“If the Firebox was previously configured with the mobile user VPN with IKEv2 or a branch office VPN using IKEv2 to a dynamic gateway peer, and both of those configurations have since been deleted, that Firebox may still be vulnerable if a branch office VPN to a static gateway peer is still configured,” the advisory noted.
This sounds convoluted, but how is such a wrinkle possible at all? To speculate, it could be that the Fireware OS is saving IKE configurations in a persistent way, even after reboots. This data can then still influence new configurations.
For customers who have configured their branch office VPNs as static gateway peers but cannot update immediately for operational reasons, WatchGuard has provided mitigation steps, outlined in the knowledge base article, Secure Access to Branch Office VPNs that Use IPSec and IKEv2.
Ransomware targets
Customers need to take this update seriously. Firewalls, and VPNs in particular, are now constantly targeted by threat actors, making it even more critical to keep their security up to date. Only this week, SonicWall warned about attacks trying to brute force the cloud backup system used by some of its firewall customers. And last week, the The Australian Cyber Security Centre said it had seen an increase in exploit attempts by the Akira ransomware gang, targeting an old vulnerability on the same company’s firewalls when using SSL VPNs.
Earlier in 2025, customers of Fortinet’s FortiGate next generation firewall were warned to check systems for compromise following a dump of stolen configuration and VPN credentials by a threat actor.
No Responses