WatchGuard Firebox iked Out of Bounds Write Vulnerability
Updated November 07 2025: Updated to correct an error in the logging level required for the IDi payload size IOA.
Updated October 21 2025: Updated to provide Indicators of Attack and additional remediation guidance due to potential active exploits in the wild.
Updated December 1 2025: Updated the IKE Process Hang Indicator of Attack with new information regarding tunnel traffic availabiltiy.
An Out-of-bounds Write vulnerability in the WatchGuard Fireware OS iked process may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer.
If the Firebox was previously configured with the mobile user VPN with IKEv2 or a branch office VPN using IKEv2 to a dynamic gateway peer, and both of those configurations have since been deleted, that Firebox may still be vulnerable if a branch office VPN to a static gateway peer is still configured.
Updated October 21 2025
We have evidence that suggests this vulnerability is under active exploitation.
Indicators of Attack
We are providing the following Indicators of Attack (IoAs) to help device owners identify potential attempts to exploit this vulnerability against vulnerable Firebox appliances. These IoAs are only applicable on devices that lack the resolution described later in this advisory.
Abnormally large IKE_AUTH request IDi payload
With iked diagnostic logging set to the Info logging level, the iked process generates a log message when the Firebox receives an IKE_AUTH request message. An IKE_AUTH request log message with an abnormally large IDi payload size (greater than 100 bytes) is a strong indicator of an attack.
The following example diagnostic log shows an example IDi payload size of 300 bytes.
1970-01-01 01:00:00 iked (203.0.113.1<->203.0.113.2)"IKE_AUTH request" message has 6 payloads [ IDi(sz=300) CERT(sz=889) SA(sz=44) TSi(sz=24) TSr(sz=24) N(sz=8)]
IKE Process Hang
During a successful exploit, the IKED process (responsible for handling IKE negotiations) will hang, interrupting VPN tunnel negotiations and re-keys. This is a strong indicator of attack. Existing tunnels may continue to pass traffic.
IKED Process Crash
After a failed or successful exploit, the IKED process will crash and generate a fault report on the Firebox. Be aware, there are other situations that could cause the IKED process to crash. This is a weak indicator of attack.
This vulnerability affects Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3 and 2025.1.
| Vulnerable Version | Resolved Version |
|---|---|
| 2025.1 | 2025.1.1 |
| 12.x | 12.11.4 |
| 12.5.x (T15 & T35 models) | 12.5.13 |
| 12.3.1 (FIPS-certified release) | 12.3.1_Update3 (B722811) |
| 11.x | End of Life |
Updated October 21 2025
As of this update, in addition to installing the latest Fireware OS release that contains the fix, administrators should take precautions to rotate all locally stored secrets on vulnerable Firebox appliances as described in our Best Practices to Rotate Shared Secrets Stored on the Firebox knowledge base article. This recommendation is out of an abundance of caution due to evidence that this vulnerability is under active exploitation.
If your Firebox is only configured with Branch Office VPN tunnels to static gateway peers and you are not able to immediately upgrade the device to a version of Fireware OS with the vulnerability resolution, you can follow WatchGuard’s recommendations for Secure Access to Branch Office VPNs that Use IPSec and IKEv2 as a temporary workaround.
| Product Family | Product Branch | Product List |
|---|---|---|
Firebox
|
Fireware OS 12.5.x | T15, T35 |
Firebox
|
Fireware OS 12.x | T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV |
Firebox
|
Fireware OS 2025.1.x | T115-W, T125, T125-W, T145, T145-W, T185 |