A critical security flaw affecting tens of thousands of WatchGuard firewalls is now under active exploitation, US cyber authority CISA has warned.
More than 54,000 devices are reportedly unpatched – even though a fix is already available.
Tracked as CVE-2025-9242 the vulnerability is an Out-of-Bounds write flaw that “may allow a remote unauthenticated attacker to execute arbitrary code.”
The implications are significant: full system compromise, malware installation, data exfiltration, and lateral movement across the network are all possible.The vulnerability has been classed as critical and added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.
WatchGuard recommends that “administrators should take precautions to rotate all locally stored secrets on vulnerable Firebox appliances.”
CISA has added two other vulnerabilities to its catalog, both of which pose significant risks.
The second critical vulnerability (CVE-2025-12480) affects Gladinet Triofox, a secure file access solution. The vulnerability “allows access to initial setup pages even after setup is complete.”
This would allow an attacker to “bypass authentication and access the application configuration pages, enabling the upload and execution of arbitrary payloads,” say threat researchers at Mandiant. This vulnerability has been patched in release 16.7.10368.56560.
The final vulnerability affects Microsoft Windows and is tracked as CVE-2025-62215. This vulnerability allows “concurrent execution using shared resource with improper synchronization,” which leads to an authorized attacker being able to elevate privileges locally.
Action1 explained that “when a race condition is combined with predictable resource names and loose permissions, it may be possible for an attacker to overwrite or access confidential data.”
This vulnerability has also been patched in Microsoft’s latest patch Tuesday release.
