WatchGuard published a new security vulnerability on December 18, 2025, which you absolutely must be aware of:
An Out-of-bounds Write vulnerability in the WatchGuard Fireware OS iked process may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer.
If the Firebox was previously configured with the mobile user VPN with IKEv2 or a branch office VPN using IKEv2 to a dynamic gateway peer, and both of those configurations have since been deleted, that Firebox may still be vulnerable if a branch office VPN to a static gateway peer is still configured.
WatchGuard has observed threat actors actively attempting to exploit this vulnerability in the wild.
Since this security vulnerability is already being exploited by attackers, please update your Fireboxes as soon as possible:
| Vulnerable Version | Resolved Version |
|---|---|
| 2025.1 | 2025.1.4 |
| 12.x | 12.11.6 |
| 12.5.x (T15 & T35 models) | 12.5.15 |
| 12.3.1 (FIPS-certified release) | 12.3.1_Update4 (B728352) |
| 11.x | End of Life |
Official documentation can be found here:
https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00027
