More than 73,000 WatchGuard Firebox devices remain unpatched against a recent critical-severity vulnerability, data from The Shadowserver Foundation shows.
Network security devices running WatchGuard’s Fireware OS, Firebox appliances control all traffic to and from the internal network, and offer VPN and proxy capabilities.
While these firewalls are meant to protect the network from external threats, devices running Fireware OS versions 11.10.2 to 11.12.4_Update1, 12.0 to 12.11.3, and 2025.1 are affected by a critical-severity bug that allows unauthenticated remote attackers to execute arbitrary code.
Tracked as CVE-2025-9242 (CVSS score of 9.3) and described as an out-of-bounds write issue in the platform’s ‘iked’ process, the security defect “affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer.”
As WatchTowr summarizes in a technical writeup, the flaw affects a service typically accessible from the internet, it can be exploited without authentication, and enables attackers to execute arbitrary code on network appliances.
In mid-September, WatchGuard released Fireware OS versions 2025.1.1, 12.11.4, 12.5.13, and 12.3.1_Update3 (B722811) with fixes for the vulnerability, warning that over 30 firewall models are affected, including Firebox Cloud, Firebox NV5, and FireboxV.
“If the Firebox was previously configured with the mobile user VPN with IKEv2 or a branch office VPN using IKEv2 to a dynamic gateway peer, and both of those configurations have since been deleted, that Firebox may still be vulnerable if a branch office VPN to a static gateway peer is still configured,” the company warned.
According to WatchGuard, it has over 250,000 small and midsize enterprises as customers. This indicates that there might be hundreds of thousands of Firebox devices deployed in production worldwide.
As of October 20, one month after patches were released for CVE-2025-9242, more than 73,800 Fireboxes remain vulnerable to the critical bug, scans performed by The Shadowserver Foundation reveal.
Roughly 24,000 of these devices are in the US, the scans show. Germany (7,000), Italy (6.500), UK (5.300), and Canada (3.900) round up the top five, with the rest spread across more than 100 countries.
Organizations are advised to apply WatchGuard’s patches as soon as possible, given the risks associated with the vulnerability.
Related: ConnectWise Patches Critical Flaw in Automate RMM Tool
Related: Windows 10 Still on Over 40% of Devices as It Reaches End of Support
Related: Achieving Sustainable Cybersecurity Through Proper Care and Feeding
Related: Work-from-Anywhere Requires “Work-from-Anywhere Security”
