Over 70K vulnerable WatchGuard Firebox instances exposed on internet

October 21, 2025

Laptop computer displaying data breach warning, highlighting cyber security threats and vulnerabilities in modern technology

(Adobe Stock)

The Shadowserver Foundation posted on Oct. 19 that it found more than 71,000 vulnerable instances of WatchGuard’s Firebox network security appliances despite the vendor having released patches for the devices a month ago.

The CVE-2025-9242 flaw was given a CVSS score of 9.3 on Sept. 17 when WatchGuard released the patch.

The actual Firebox flaw was an out-of-bounds vulnerability in the WatchGuard Fireware OS that could allow a remote unauthenticated attacker execute arbitrary code. The flaw affects the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer.

Shane Barney, chief information security officer at Keeper Security, said it’s a serious flaw because it affects devices that sit at the edge of an organization’s network, managing VPN traffic, and controlling communication between internal and external systems.

“These are high-value targets for attackers seeking initial access or persistence because they provide direct paths into protected environments,” said Barney. “This vulnerability is especially concerning because it enables unauthenticated remote code execution, meaning an attacker doesn’t need credentials to gain full control of a vulnerable device.”

Barney explained that once compromised, attackers can use the system to deploy malware, establish command-and-control channels or pivot into corporate and cloud infrastructure. Organizations running affected Firebox versions should treat this as an active incident risk. Immediate steps include isolating and patching vulnerable systems, disabling IKEv2 VPN with dynamic gateways if patching isn’t feasible and auditing logs for signs of exploitation.

Damon Small, a board member at Xcape, Inc., added that the IKEv2 VPN component has an RCE vulnerability that lets an attacker take complete control of the firewall — a perimeter device — without requiring login credentials.

“With [so many] gadgets made available to the public, mass exploitation is a real possibility,” Small said. “As a vital temporary mitigation, teams must stop the IKEv2 mobile/dynamic gateway VPN capability or upgrade to the vendor's patched Fireware OS firmware right away.”