A newly disclosed vulnerability in WatchGuard Fireware OS, tracked as CVE-2025-9242, is raising significant concern across industries relying on VPN connectivity. With a critical Common Vulnerability Scoring System (CVSS v4) rating of 9.3, this flaw in WatchGuard’s firewall operating system allows remote, unauthenticated attackers to execute arbitrary code, and it is already being actively exploited in the wild.
Vulnerability in the ‘iked’ Process Allows Remote Code Execution
CVE-2025-9242 is categorized as an out-of-bounds write vulnerability residing in the ‘iked’ process of WatchGuard’s Fireware OS. The flaw affects VPN connections—specifically Mobile User VPN and Branch Office VPN (BOVPN) configurations using Internet Key Exchange version 2 (IKEv2) with dynamic gateway peers.
Devices Remain Vulnerable Even After Removing Dynamic Peer Configurations
According to multiple advisories, including those from WatchGuard and the National Vulnerability Database (NVD), even systems where dynamic VPN configurations have been disabled may remain exposed. If a Branch Office VPN to a static gateway peer is still configured, the vulnerability can persist. This nuance significantly expands the potential attack surface.
Impacted versions span a wide range, including:
- Fireware OS 11.10.2 through 11.12.4_Update1 (now end-of-life)
- Versions 12.0 through 12.11.3
- Version 2025.1
WatchGuard Firebox models across current and legacy product lines are affected, with CSO Online estimating nearly three dozen devices at risk.
Patch Releases and Recommended Immediate Actions
Updated Versions Provide Fixes for Supported Builds
WatchGuard has released patched builds that address CVE-2025-9242 in the following versions:
- 12.3.1_Update3
- 12.5.13
- 12.11.4
- 2025.1.1
Administrators and security teams are advised to update to these patched versions as a matter of priority. The American Hospital Association (AHA) has issued a special bulletin urging healthcare organizations to assess their exposure and remediate quickly, citing the risk to sensitive health data and potential disruption of clinical operations.
Workarounds Exist if Immediate Patching Cannot Be Performed
For organizations unable to patch systems immediately, WatchGuard has outlined the following temporary mitigations:
- Disable all dynamic peer Branch Office VPNs using IKEv2
- Modify associated firewall policies to restrict traffic
- Conduct full configuration reviews to identify any remaining vulnerable peer setups, including static gateways
These steps can help contain the risk while full patch deployment is underway.
Industry Response and Threat Landscape Considerations
Active Exploitation Increases Urgency
The CVE-2025-9242 vulnerability is not theoretical. According to reports from TechRadar and the Cyber Express, exploitation has already been observed by threat actors. This elevates the issue from a high-severity potential risk to an active threat requiring immediate operational attention.
In particular, organizations with externally exposed Firebox VPN endpoints should assume they are at risk and act accordingly. The use of unauthenticated remote code execution techniques via VPN interfaces places this vulnerability in a class of bugs that has historically led to full network compromise.
High-Risk Sectors Like Healthcare Are on Alert
Because VPN infrastructure often serves as a central access point for remote users and branch locations, the implications of CVE-2025-9242 span beyond the firewall itself. In sectors such as healthcare, where operational integrity and data security are mission-critical, regulators and industry groups are encouraging rapid action.
The AHA’s involvement signals broader concern from public-sector and compliance-focused organizations. Institutions subject to HIPAA, PCI DSS, or NIST standards should consider the vulnerability a top priority.
Final Recommendations for WatchGuard Fireware OS Users
Security analysts across advisory sources unanimously agree that action is needed now. Based on summaries from WatchGuard, CSO Online, and Arctic Wolf, the following steps are recommended:
- Identify affected systems by checking Fireware OS version and active VPN configurations.
- Apply patches to the latest available supported versions: 12.3.1_Update3, 12.5.13, 12.11.4, or 2025.1.1.
- Temporarily disable dynamic peer BOVPNs and tighten firewall rules if patching cannot be completed immediately.
- Audit configurations for residual static VPN peers that may leave the system exploitable.
- Monitor network logs for suspicious activity targeting the IKEv2 or VPN subsystems.
The CVE-2025-9242 vulnerability underscores the systemic risk VPN infrastructure can present when exploited by attackers. Given its critical status and active exploitation, organizations using WatchGuard Fireware OS should treat this issue with the same seriousness as any other externally exploitable, unauthenticated remote code execution threat.
Administrators are advised to act without delay to update or isolate impacted systems and safeguard critical business operations.
