Full Report
Newly disclosed vulnerability already being abused, users urged to lock down exposed firewalls WatchGuard is in emergency patch mode after confirming that a critical remote code execution flaw in its Firebox firewalls is under active attack.…
Analysis Summary
# Vulnerability: Critical Remote Code Execution in WatchGuard Firebox Firewalls
## CVE Details
- CVE ID: CVE-2025-32978
- CVSS Score: 9.3 (Critical)
- CWE: *(Not explicitly provided in the text)*
## Affected Systems
- Products: WatchGuard Firebox firewalls running Fireware OS
- Versions: Specific vulnerable versions are not listed, but the vulnerability affects devices configured with:
1. Mobile user VPN using IKEv2.
2. Branch office VPN using IKEv2 with a dynamic gateway peer (even if the configuration was subsequently deleted, vulnerability may persist if a static gateway peer VPN is still configured).
- Configurations: Devices must have IKEv2 VPN services configured (Mobile User VPN or Branch Office VPN).
## Vulnerability Description
The vulnerability is a critical Remote Code Execution (RCE) flaw residing in the Fireware OS Internet Key Exchange (IKE) service on Firebox firewalls. This flaw allows unauthenticated attackers to remotely execute arbitrary commands on the vulnerable device if it is reachable over the internet.
## Exploitation
- Status: Exploited in the wild
- Complexity: *(Not explicitly stated, but unauthenticated RCE on network services is typically Low complexity)*
- Attack Vector: Network (Internet-facing)
## Impact
A successful exploit grants an attacker control over the firewall, which sits at the network boundary. This can lead to:
- **Confidentiality:** High (Visibility into traffic, credentials, and VPN connections)
- **Integrity:** High (Ability to execute arbitrary code and control the device)
- **Availability:** High (Potential to disrupt firewall operations)
## Remediation
### Patches
- Apply the latest firmware updates provided by WatchGuard, as these fully address the vulnerability. *(Specific patch version numbers are not provided in the source text).*
### Workarounds
- Organizations unable to patch immediately should refer to the vendor-provided temporary workaround (KB article available via the provided link). *(Specific workaround steps are not detailed here, users must consult the vendor).*
## Detection
- **Indicators of Compromise (IoCs):** WatchGuard has released IoCs to help customers assess potential compromise.
- **Detection Methods and Tools:** Customers should review logs related to the IKE service for anomalous activity indicative of command execution attempts.
## References
- Vendor Advisory: hxxps://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00027
- Workaround KB: hxxps://techsearch.watchguard.com/KB?type=Article&SFDCID=kA1Vr000000DMXNKA4&lang=en_US