Friday, December 19, 2025
Latest:

Threatshub.org sponsored-Post

The Register

WatchGuard sounds alarm as critical Firebox flaw comes under active attack

TH Author

WatchGuard is in emergency patch mode after confirming that a critical remote code execution flaw in its Firebox firewalls is under active attack.

In an advisory published this week, the network security vendor warned customers that attackers are exploiting CVE-2025-32978, a 9.3-rated vulnerability affecting Firebox firewalls. The bug allows unauthenticated attackers to execute arbitrary commands remotely, effectively handing over control of the firewall if the device is reachable over the internet.

WatchGuard said the bug resides in the Fireware OS Internet Key Exchange (IKE) service and can be exploited remotely, without authentication, to execute arbitrary code on vulnerable Firebox devices. The vendor confirmed it has seen the flaw actively exploited in the wild and has released indicators of compromise to help customers assess whether they’ve been hit.

“This vulnerability affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer,” WatchGuard said in a Thursday advisory. “If the Firebox was previously configured with the mobile user VPN with IKEv2 or a branch office VPN using IKEv2 to a dynamic gateway peer, and both of those configurations have since been deleted, that Firebox may still be vulnerable if a branch office VPN to a static gateway peer is still configured.”

The immediate fix is to apply the latest firmware updates, which WatchGuard says fully address the vulnerability. For organizations unable to patch straight away, the vendor has provided a temporary workaround.

Firewalls and edge appliances have become a favorite target for attackers precisely because they sit at the boundary of enterprise networks and often run with high privileges. A successful exploit doesn’t just compromise a single server; it can provide visibility into traffic, credentials, VPN connections, and downstream systems, all while hiding inside a box that many defenders implicitly trust.

Just days ago, Amazon disclosed a long-running espionage campaign it traced back to 2021, in which Russian GRU-linked attackers exploited CVE-2022-26318, an earlier critical unauthenticated RCE in WatchGuard Firebox and XTM appliances, to execute arbitrary code via exposed management access.

That disclosure came just weeks after CISA added another critical WatchGuard Fireware OS flaw, tracked as CVE-2025-9242, to its Known Exploited Vulnerabilities (KEV) catalog after reports of active exploitation.

While WatchGuard has not linked the current exploitation to any specific threat actor, the pattern is now well established. Firewall vulnerabilities are rapidly weaponized, scanned for at scale, and chained with weak configurations to compromise networks before many organizations have time to react. ®

READ MORE HERE