WatchGuard Fireware OS Out-of-Bounds Write Vulnerability in VPN IKEv2 Processing Allowing Arbitrary Code Execution

A vulnerability allowing out-of-bounds write has been identified in WatchGuard Fireware OS. This issue may enable a remote, unauthenticated attacker to execute arbitrary code. The vulnerability arises in the iked process, which handles IKEv2 VPN negotiations. It affects Fireware OS versions 11.10.2 prior to 11.12.4_Update1, 12.0 prior to 12.11.5, and 2025.1 prior to 2025.1.3. The issue is present in Mobile User VPN with IKEv2 and Branch Office VPN using IKEv2, but only when configured with a dynamic gateway peer. Notably, devices that have removed these VPN configurations may still be vulnerable if a Branch Office VPN to a static gateway peer is active.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the affected device.

Remediation

Users can upgrade to Fireware OS versions 2025.1.4, 12.11.6, 12.5.15 (for T15 & T35 models), or 12.3.1_Update4 (for FIPS-certified releases). After upgrading, it's recommended to rotate all locally stored secrets on the device.