Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN625
_____________________________________________________________________

DATE                : 19/09/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Fireware OS versions prior to
               2025.1.1, 12.11.4, 12.5.13, 12.3.1_Update3 (B722811).

=====================================================================
https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00015
_____________________________________________________________________


CVE              CVE-2025-9242
Impact           Critical
Status           Resolved
Product Family   Firebox
Published Date   2025-09-17
Updated Date     2025-09-17
Workaround Available   True
CVSS Score             9.3
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N


Summary

An Out-of-bounds Write vulnerability in the WatchGuard Fireware OS
iked process may allow a remote unauthenticated attacker to execute
arbitrary code. This vulnerability affects both the mobile user VPN
with IKEv2 and the branch office VPN using IKEv2 when configured
with a dynamic gateway peer.
If the Firebox was previously configured with the mobile user VPN
with IKEv2 or a branch office VPN using IKEv2 to a dynamic gateway
peer, and both of those configurations have since been deleted,
that Firebox may still be vulnerable if a branch office VPN to a
static gateway peer is still configured.


Affected

This vulnerability affects Fireware OS 11.10.2 up to and including
11.12.4_Update1, 12.0 up to and including 12.11.3 and 2025.1.


Resolution

Vulnerable Version                  Resolved Version
2025.1                              2025.1.1
12.x                                12.11.4
12.5.x (T15 & T35 models) 	    12.5.13
12.3.1 (FIPS-certified release)     12.3.1_Update3 (B722811)
11.x                                End of Life


Workaround

If your Firebox is only configured with Branch Office VPN tunnels
to static gateway peers and you are not able to immediately upgrade
the device to a version of Fireware OS with the vulnerability
resolution, you can follow WatchGuard’s recommendations for Secure
Access to Branch Office VPNs that Use IPSec and IKEv2 as a
temporary workaround.

Credits              btaol

Advisory Product List        Product Family   Product Branch
Product List

Firebox    Fireware OS 12.5.x   T15, T35
                                T20, T25, T40, T45, T55, T70, T80,
                                T85, M270, M290, M370, M390, M470,
 Firebox   Fireware OS 12.x     M570, M590, M670, M690, M440, M4600,
                                M4800, M5600, M5800, Firebox Cloud,
                                Firebox NV5, FireboxV
Firebox  Fireware OS 2025.1.x   T115-W, T125, T125-W, T145, T145-W,
                                T185 

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================