WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability

A serious security vulnerability in Fireware OS has been fixed by WatchGuard. According to the company, the vulnerability has been used in actual attacks. The vulnerability has been characterized as an instance of an out-of-bounds write that impacts the iked process.

Following reports of active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added another critical WatchGuard vulnerability to its Known Exploited Vulnerabilities (KEV) catalog a little more than a month ago. These two sets of attacks are connected to the Fortinet FortiOS, FortiWeb, and FortiProxy vulnerabilities, though it is currently unknown if they are related.

The vulnerabilities affect the following versions of FirewareOS:

2025.1.1, 2025.2.4, and 2025.5.x (T15 & T35 models) - Fixed in 12.3.15.1 (FIPS-certified release) • 11.10.2 up to and End-of-Life WatchGuard admitted that it has seen threat actors actively trying to take advantage of this vulnerability in the wild, including 11.12.4_Update1 (B728352).

117,490 WatchGuard instances that are exposed to the internet are susceptible to the vulnerability, according to data from the Shadowserver Foundation. According to the company's data, over 35,600 of these are found in the United States, followed by 13,000 in Germany, 11,300 in Italy, 9,000 in the United Kingdom, and 5,800 in Canada. The following IP addresses are the source of the attacks: •

45.95.19 [.]50 51.17.17[.]89; 172.93.107[.]67; 199.247.7[.

]82.