WatchGuard sounds alarm as critical Firebox flaw comes under active attack

Steven

WatchGuard sounds alarm as critical Firebox flaw comes under active attack

Summary

WatchGuard has confirmed a critical remote code execution (RCE) vulnerability in its Firebox firewalls — CVE-2025-32978 — is being actively exploited. Rated 9.3, the flaw affects the Fireware OS Internet Key Exchange (IKE) service and allows unauthenticated attackers to run arbitrary commands on exposed devices reachable from the internet. WatchGuard has published an advisory with indicators of compromise and released firmware updates that fully address the issue, plus a temporary workaround for organisations that cannot patch immediately.

Key Points

  • CVE-2025-32978 is a critical (9.3) unauthenticated RCE in the Fireware IKE service affecting Firebox appliances.
  • Exploitation permits arbitrary command execution remotely if the device is internet-reachable, potentially giving attackers control of the firewall.
  • WatchGuard has observed active exploitation in the wild and provided indicators of compromise to help detection and triage.
  • The immediate remediation is to apply the latest WatchGuard firmware; a temporary workaround is available for those that cannot patch straight away.
  • The bug can remain present even after certain VPN configs are removed — organisations should review IKEv2 mobile and branch-office VPN settings and any static gateway peers.
  • This follows a pattern of rapid weaponisation of firewall flaws (including past WatchGuard CVEs and CISA KEV listings), underscoring the speed of exploitation against edge appliances.

Why should I read this?

If you run WatchGuard Firebox kit or manage perimeter kit, this is one to read now — not later. The bug lets strangers run code on your firewall from the internet. Patch it, check IOCs, and lock down exposed management/VPN endpoints. Honestly, it’s quick to act and could stop a very messy incident.

Context and relevance

Firewalls and edge appliances are high-value targets because they guard network boundaries and often run with elevated privileges. A compromised firewall can reveal traffic, credentials, VPNs and downstream systems while remaining hidden in a trusted box. The industry has repeatedly seen rapid exploitation of such flaws: recent related WatchGuard vulnerabilities were added to CISA’s Known Exploited Vulnerabilities list and prior RCEs were abused in long-running campaigns. This advisory is part of that ongoing trend — prompt patching and auditing of VPN/IKE configurations are essential risk mitigations.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2025/12/19/watchguard_firebox/