A recent critical-severity vulnerability in WatchGuard Firebox firewalls has been exploited in the wild, the US cybersecurity agency CISA warns.
Powered by WatchGuard’s Fireware OS, the Firebox network security devices control all traffic to and from the internal network, and are designed to protect the environment from external threats.
In September, WatchGuard warned that a critical-severity out-of-bounds write bug in the Fireware OS iked process could be exploited for unauthenticated remote code execution.
Tracked as CVE-2025-9242 (CVSS score of 9.3), the security defect affects “both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer,” WatchGuard said.
In late October, just as WatchTowr published a technical writeup on the vulnerability, The Shadowserver Foundation warned that its scanners were seeing over 73,000 Firebox network appliances that had not been patched against the bug.
Now, CISA has added CVE-2025-9242 to its Known Exploited Vulnerabilities (KEV) list, urging federal agencies to patch it within three weeks, as mandated by Binding Operational Directive (BOD) 22-01.
WatchGuard resolved the issue in Fireware OS versions 2025.1.1, 12.11.4, 12.5.13, and 12.3.1_Update3 (B722811), noting that no fixes would be released for Fireware OS 11.x, which has been discontinued.
On October 21, the vendor updated its advisory to mention the flaw’s in-the-wild exploitation and to include indicators of compromise (IOCs).
“As of this update, in addition to installing the latest Fireware OS release that contains the fix, administrators should take precautions to rotate all locally stored secrets on vulnerable Firebox appliances,” the company said.
CISA added the security defect to the KEV list alongside CVE-2025-12480, a critical vulnerability in Gladinet’s Triofox secure file sharing and remote access solution, and CVE-2025-62215, a privilege escalation bug in the Windows kernel.
Gladinet patched the Triofox flaw in late July and its exploitation started a month later. The Windows kernel defect has been exploited as a zero-day.
Related: Cisco ISE, CitrixBleed 2 Vulnerabilities Exploited as Zero-Days: Amazon
Related: Runc Vulnerabilities Can Be Exploited to Escape Containers
Related: CISA Warns of CWP Vulnerability Exploited in the Wild
Related: CISA Warns of Exploited DELMIA Factory Software Vulnerabilities
