Nearly 76,000 WatchGuard Firebox network security appliances are exposed on the public web and still vulnerable to a critical issue (CVE-2025-9242) that could allow a remote attacker to execute code without authentication.
Firebox devices act as a central defense hub that controls traffic between internal and external networks, providing protection through policy management, security services, VPN, and real-time real-time visibility through WatchGuard Cloud.
Scans from The Shadowserver Foundation currently show that there are 75,835 vulnerable Firebox appliances across the world, most of them in Europe and North America.
Specifically, the United States tops the list with 24,500 endpoints, followed by Germany (7,300), Italy (6,800), United Kingdom (5,400), Canada (4,100), and France (2,000).
Heatmap of vulnerable Firebox devices
Source: The Shadowserver Foundation
WatchGuard disclosed CVE-2025-9242 in a security bulletin on September 17 and rated the vulnerability with a critical-severity score of 9.3. The security problem is an out-of-bounds write in the Fireware OS ‘iked’ process, which handles IKEv2 VPN negotiations.
The flaw can be exploited without authentication by sending specially crafted IKEv2 packets to vulnerable Firebox endpoints, forcing it to write data to unintended memory areas.
It only affects Firebox appliances that use IKEv2 VPNs with dynamic gateway peers, on versions 11.10.2 through 11.12.4_Update1, 12.0 through 12.11.3, and 2025.1
The vendor suggested an upgrade to one of the following versions:
... continue reading