54,000 Firewalls at Risk: CISA Flags Major WatchGuard Zero-Auth Vulnerability

CISA has issued an alert about a critical security flaw in WatchGuard Firebox devices after confirming that attackers are already exploiting it in the real world. The vulnerability has been added to the Known Exploited Vulnerabilities list, which highlights threats that need urgent attention. Thousands of Firebox appliances across different countries are affected by this flaw. Since these devices protect the edge of networks, the risk level is extremely high.

The vulnerability is tracked as CVE-2025-9242 and comes from an out-of-bounds write error inside the Fireware operating system. This flaw allows an attacker to send a specially crafted packet to the device. By doing so, they can potentially execute code remotely on the firewall. The most worrying part is that the attacker does not need to log in or use any credentials.

A wide range of Fireware OS versions are affected, including 11.10.2 through 11.12.4_Update1. Versions from 12.0 up to 12.11.3 are also listed as vulnerable. Even the 2025.1 release is included in the advisory issued by the vendor. This means many Firebox models that organisations still rely on are currently at risk.

Security researchers reported that over 54,000 Firebox devices remained exposed to the internet in November 2025. In October, earlier scans showed more than 75,000 vulnerable devices worldwide. Many of these systems are located in the United States, Europe, and Canada. A large number of them are directly reachable from the public internet, making them easy targets.

The threat becomes more serious because attackers can access the affected devices without authentication. They can completely bypass login requirements and take control of the firewall. Once a firewall is compromised, attackers can move deeper into internal networks. This makes the flaw an attractive target for ransomware groups and advanced attackers.

WatchGuard has published a detailed advisory explaining the vulnerability, listing all affected versions, and providing updated firmware containing the fix. They also shared detection tips that can help administrators identify suspicious or malicious activity. One of the signs includes abnormal behaviour in IKEv2 traffic patterns. Administrators are strongly advised to install the fixed firmware as soon as possible.

CISA has instructed U.S. federal civilian agencies to apply the patch by December 3, 2025. Although this requirement is specifically for federal networks, the warning applies to all organisations using Firebox devices. Delaying the update leaves networks exposed to ongoing exploitation attempts. Applying the patch is the most effective way to stay protected.

If immediate patching is not possible, temporary workarounds can reduce the risk. These include disabling or restricting the VPN configurations that make the device vulnerable. Administrators should also ensure that management interfaces and critical ports are not exposed to the internet. Since attackers are already exploiting this flaw, taking quick action is essential for security.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news