WatchGuard Firebox iked Out of Bounds Write Vulnerability
An Out-of-bounds Write vulnerability in the WatchGuard Fireware OS iked process may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer.
If the Firebox was previously configured with the mobile user VPN with IKEv2 or a branch office VPN using IKEv2 to a dynamic gateway peer, and both of those configurations have since been deleted, that Firebox may still be vulnerable if a branch office VPN to a static gateway peer is still configured.
This vulnerability affects Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3 and 2025.1.
| Vulnerable Version | Resolved Version |
|---|---|
| 2025.1 | 2025.1.1 |
| 12.x | 12.11.4 |
| 12.5.x (T15 & T35 models) | 12.5.13 |
| 12.3.1 (FIPS-certified release) | 12.3.1_Update3 (B722811) |
| 11.x | End of Life |
If your Firebox is only configured with Branch Office VPN tunnels to static gateway peers and you are not able to immediately upgrade the device to a version of Fireware OS with the vulnerability resolution, you can follow WatchGuard’s recommendations for Secure Access to Branch Office VPNs that Use IPSec and IKEv2 as a temporary workaround.
| Product Family | Product Branch | Product List |
|---|---|---|
Firebox
|
Fireware OS 12.5.x | T15, T35 |
Firebox
|
Fireware OS 12.x | T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV |
Firebox
|
Fireware OS 2025.1.x | T115-W, T125, T125-W, T145, T145-W, T185 |