WatchGuard on Wednesday released security updates to fix a critical remote-code execution vulnerability in its Firebox firewall devices, tracked as CVE-2025-9242. The flaw stems from an out-of-bounds write in the Fireware OS iked process that could allow a remote, unauthenticated attacker to execute arbitrary code on vulnerable devices. The vulnerability is categorized as an Out-of-bounds Write vulnerability (CWE-787) by MITRE, which documents the weakness at Out-of-bounds Write (CWE-787).
WatchGuard says the flaw affects Fireware OS 11.x (end of life), 12.x and 2025.1, with patches available for versions 12.3.1_Update3 (B722811), 12.5.13, 12.11.4 and 2025.1.1. The advisory notes that Firebox devices configured for IKEv2 VPN are vulnerable, and that attackers could exploit the issue even if vulnerable configurations have since been removed if a branch office VPN to a static gateway peer remains configured.
WatchGuard has published a temporary workaround for administrators who cannot immediately patch devices running vulnerable software configured with Branch Office VPN (BOVPN) tunnels to static gateway peers. The workaround involves disabling dynamic peer BOVPNs, adding new firewall policies, and disabling the default system policies that handle VPN traffic, per the guidance in the support document: BOVPN hardening guidance.
Although the vulnerability is not currently being exploited in the wild, WatchGuard emphasizes patching as the primary defense since firewalls remain attractive targets for threat actors.