Who is affected?: A list of the nearly three dozen firewall models affected by CVE-2025-9242 is available from WatchGuard’s website. The vulnerable versions of the Fireware OS are 2025.1, 12.x, 12.5.x (T15 & T35 models), 12.3.1 (FIPS-certified release), and 11.x (end of life). These are addressed (in the same order) by updating to versions 2025.1.1, 12.11.4, 12.5.13, and 12.3.1_Update3 (B722811).Although all customers should update, those specifically affected are in the following camp: “This vulnerability affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer,” said the advisory.However, the company warned that customers who had used their firewall VPNs in this way in the past, but no longer do so, could also be affected:”If the Firebox was previously configured with the mobile user VPN with IKEv2 or a branch office VPN using IKEv2 to a dynamic gateway peer, and both of those configurations have since been deleted, that Firebox may still be vulnerable if a branch office VPN to a static gateway peer is still configured,” the advisory noted.This sounds convoluted, but how is such a wrinkle possible at all? To speculate, it could be that the Fireware OS is saving IKE configurations in a persistent way, even after reboots. This data can then still influence new configurations.For customers who have configured their branch office VPNs as static gateway peers but cannot update immediately for operational reasons, WatchGuard has provided mitigation steps, outlined in the knowledge base article, Secure Access to Branch Office VPNs that Use IPSec and IKEv2.
Ransomware targets: Customers need to take this update seriously. Firewalls, and VPNs in particular, are now constantly targeted by threat actors, making it even more critical to keep their security up to date. Only this week, SonicWall warned about attacks trying to brute force the cloud backup system used by some of its firewall customers. And last week, the The Australian Cyber Security Centre said it had seen an increase in exploit attempts by the Akira ransomware gang, targeting an old vulnerability on the same company’s firewalls when using SSL VPNs.Earlier in 2025, customers of Fortinet’s FortiGate next generation firewall were warned to check systems for compromise following a dump of stolen configuration and VPN credentials by a threat actor.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4059623/watchguard-patches-critical-vpn-flaw-in-firewalls-that-could-lead-to-compromise.html
