The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has warned government agencies to patch an actively exploited vulnerability impacting WatchGuard Firebox firewalls.
Remote attackers can use this critical security flaw (CVE-2025-9242) to execute malicious code remotely on vulnerable devices by exploiting an out-of-bounds write weakness in firewalls running Fireware OS 11.x (end of life), 12.x, and 2025.1.
CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and has given Federal Civilian Executive Branch (FCEB) agencies three weeks, until December 3, to secure their systems against ongoing attacks as mandated by the Binding Operational Directive (BOD) 22-01.
"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," the cybersecurity agency said.
"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable."
While WatchGuard released security patches to address the vulnerability on September 17, the company only tagged it as exploited in attacks almost one month later, on October 21.
One day earlier, on October 20, Internet watchdog Shadowserver revealed that it was tracking over 75,000 vulnerable Firebox appliances worldwide. This number has fallen to just over 54,000, according to Shadowserver's latest statistics, most of them located in Europe and North America.
Vulnerable WatchGuard Firebox appliances (Shadowserver)
Although CISA's order only applies to federal agencies, all organizations are advised to prioritize patching this vulnerability as soon as possible since firewalls are an attractive target for threat actors.
For instance, the Akira ransomware gang has been actively exploiting CVE-2024-40766, a year-old critical-severity vulnerability, to hack into SonicWall firewalls since September 2024.
... continue reading