WatchGuard Vulnerabilities (2023–2025): What Got Hit, What Versions Were Vulnerable, and What to Patch Now

If you run WatchGuard, you run security infrastructure.
That also means attackers will target it first.

Firewalls, VPNs, SSO agents, endpoint agents, and password manager extensions sit close to identity and network trust. One missed patch can turn “secure edge” into “open door.”

This post highlights major WatchGuard vulnerabilities from the last two years (December 2023 through today, December 20, 2025) and gives you a clean timeline of vulnerable versions and fixed versions. It also explains what to do next, so you can reduce risk fast.

---

Attackers love edge and identity products for three reasons:

1. They face the internet.
   Firewalls and VPN gateways often accept inbound traffic by design.
2. They concentrate trust.
   They authenticate users, route traffic, and enforce policies.
3. They enable lateral movement.
   Once a threat actor lands on an edge device, they can pivot inside.

That is why vulnerabilities in WatchGuard Firebox (Fireware OS), VPN modules, and SSO components matter. One flaw can lead to remote code execution (RCE), credential exposure, service disruption, or silent access.

You will see that pattern clearly in the 2025 VPN/IKEv2 advisories. WatchGuard explicitly notes exploitation activity for the iked out-of-bounds write bugs. WatchGuard+1

---

WatchGuard’s Fireware OS issues in 2025 deserve special attention because they hit the VPN negotiation path.

CVE-2025-9242 (WGSA-2025-00015) — Critical, remote unauthenticated RCE risk

• WatchGuard describes an out-of-bounds write in the iked process. WatchGuard
• It impacts Mobile User VPN with IKEv2 and BOVPN using IKEv2 with a dynamic gateway peer. WatchGuard
• WatchGuard later added indicators of attack and stated evidence suggested active exploitation. WatchGuard
• Affected versions include Fireware OS 12.0 through 12.11.3 and 2025.1, plus older 11.x ranges. WatchGuard
• Fixes include 12.11.4 and 2025.1.1 (plus other branch fixes). WatchGuard

CVE-2025-14733 (WGSA-2025-00027) — Critical, remote unauthenticated RCE risk

This is another iked out-of-bounds write advisory, with WatchGuard reporting threat actors attempting exploitation in the wild. WatchGuard

It expands the affected window:

• Fireware OS 12.0 through 12.11.5 and 2025.1 through 2025.1.3. WatchGuard
• Fixes: 12.11.6 and 2025.1.4 (plus branch-specific fixes). WatchGuard

Takeaway:
If you use IKEv2 and have any dynamic gateway peer history, patching is not optional. Treat these like emergency updates.

---

SSO components often live inside your network. That makes people dismiss them.
Don’t.

Once an attacker gets any foothold, SSO misconfigurations and protocol flaws can amplify damage. WatchGuard’s 2024 advisories in this area include critical authorization issues.

• CVE-2024-6592 (WGSA-2024-00014): Protocol authorization bypass between Authentication Gateway (SSO Agent) and SSO Client could allow forged communications and manipulation of account/group data. WatchGuard
• CVE-2024-6593 (WGSA-2024-00015): Telnet authentication bypass / incorrect authorization in SSO Agent could allow restricted management commands. WatchGuard
• CVE-2024-6594 (WGSA-2024-00016): DoS against Windows SSO Client via malformed commands. WatchGuard

These are not “internet RCE” bugs.
They are still dangerous in real environments.

Why?

• Many orgs allow broad east-west traffic.
• Attackers often gain internal access via phishing.
• Then they look for identity shortcuts.

---

Local privilege escalation (LPE) and kernel driver issues often require a foothold.
Attackers almost always get a foothold first.

WatchGuard endpoint advisories in 2024 included driver vulnerabilities (pskmad_64.sys) affecting EPDR and Panda-branded products:

• CVE-2023-6330 (WGSA-2024-00001): kernel pool memory corruption (DoS and possible SYSTEM-level code execution). Affected versions include EPDR/AD360 ≤ 8.00.22.0022; fixed in 8.00.22.0023. WatchGuard
• CVE-2023-6331 (WGSA-2024-00002): out-of-bounds write with similar affected/fixed versions. WatchGuard
• CVE-2023-6332 (WGSA-2024-00003): arbitrary kernel memory read; same affected/fixed versions listed. WatchGuard

Also:

• CVE-2024-8424 (WGSA-2024-00017): PSANHost.exe issue enabling arbitrary file delete as SYSTEM on Windows for EPDR/AD360/Dome below specified versions. WatchGuard

These bugs matter for:

• Ransomware staging
• Persistence
• EDR tampering

---

A password manager extension sits inches from credentials.

WatchGuard disclosed:

• CVE-2024-1417 (WGSA-2024-00006): local code injection in the AuthPoint Password Manager Safari extension for macOS versions before 1.0.6, fixed in 1.0.6. WatchGuard

Even though it is “local,” it still matters.
In real incidents, attackers chain local execution with credential theft.

---

Below is a practical patch-focused timeline. It prioritizes high/critical issues and widely deployed components.

Scope note: WatchGuard publishes many advisories. This timeline focuses on the issues most likely to impact real-world environments (Firebox/Fireware OS, VPN, SSO, endpoint agents, and AuthPoint Password Manager). For full coverage, always cross-check WatchGuard’s PSIRT advisory list.

Date (Published)	Advisory / CVE	Product	Impact	Versions Vulnerable	Fixed / Resolved Versions
2024-01-18	WGSA-2024-00001 / CVE-2023-6330	Endpoint (EPDR, Panda AD360, Panda Dome)	Medium	EPDR/AD360 ≤ 8.00.22.0022; Dome ≤ 22.02.00	EPDR/AD360 8.00.22.0023; Dome 22.02.01
2024-01-18	WGSA-2024-00002 / CVE-2023-6331	Endpoint	High	EPDR/AD360 ≤ 8.00.22.0022; Dome ≤ 22.02.00	EPDR/AD360 8.00.22.0023; Dome 22.02.01
2024-01-18	WGSA-2024-00003 / CVE-2023-6332	Endpoint	Medium	EPDR/AD360 ≤ 8.00.22.0022; Dome ≤ 22.02.00	EPDR/AD360 8.00.22.0023; Dome 22.02.01
2024-03-26	WGSA-2024-00006 / CVE-2024-1417	AuthPoint Password Manager (Safari macOS)	High	Extension < 1.0.6	1.0.6
2024-06-27	WGSA-2024-00011 / CVE-2024-5974	Firebox (Fireware OS)	High	Fireware 11.9.4 → 12.5.12_Update1; 12.6 → 12.10.3	12.10.4; 12.5.12 Update 2
2024-09-25	WGSA-2024-00014 / CVE-2024-6592	SSO (Auth Gateway + clients)	Critical	Auth Gateway through 12.10.2; Windows client through 12.7; macOS client through 12.5.4	WatchGuard lists mitigations/workarounds (port restrictions).
2024-09-25	WGSA-2024-00015 / CVE-2024-6593	SSO (Auth Gateway)	Critical	Auth Gateway through 12.10.2	WatchGuard lists mitigations/workarounds (port restrictions).
2024-09-25	WGSA-2024-00016 / CVE-2024-6594	SSO (Windows client)	High	Windows SSO Client through 12.7	WatchGuard lists mitigations/workarounds (port restrictions).
2024-11-07	WGSA-2024-00017 / CVE-2024-8424	Endpoint (EPDR/AD360/Dome)	High	EPDR/AD360 < 8.00.23.0000; Dome < 22.03.00	EPDR/AD360 8.00.23.0000; Dome 22.03.00
2025-09-17 (updated later)	WGSA-2025-00015 / CVE-2025-9242	Firebox (Fireware OS / iked)	Critical	Fireware 12.0 → 12.11.3, 2025.1, plus specified 11.x ranges	12.11.4, 2025.1.1, plus branch-specific fixes
2025-10-29	WGSA-2025-00016 / CVE-2025-1549	Mobile VPN with SSL (Windows client)	Medium	Client ≤ 12.10.5	Partially mitigated in 12.11.3, but advisory notes residual risk
2025-12-04	WGSA-2025-00018 / CVE-2025-11838	Firebox (Fireware OS / iked)	High	Fireware 12.0 → 12.11.4; 2025.1 → 2025.1.2	12.11.5; 2025.1.3
2025-12-04 (updated 2025-12-19)	WGSA-2025-00020 / CVE-2025-12196	Firebox (Fireware OS CLI)	High	Fireware 12.0 → 12.11.4; 12.5 → 12.5.13; 2025.1 → 2025.1.2	12.11.5; 12.5.14; 2025.1.3
2025-12-18 (updated 2025-12-19)	WGSA-2025-00027 / CVE-2025-14733	Firebox (Fireware OS / iked)	Critical	Fireware 12.0 → 12.11.5; 2025.1 → 2025.1.3, plus specified 11.x ranges	12.11.6; 12.5.15; 2025.1.4; FIPS branch updates listed

---

1) Inventory WatchGuard assets like an attacker would

Start with exposure and trust:

• Firebox appliances with VPN enabled
• IKEv2 configurations (dynamic gateway peer history matters)
• SSO Authentication Gateway / SSO clients
• Endpoint agents (EPDR / AD360 / Dome)
• AuthPoint Password Manager extension usage

You want a list of:

• Product
• Current version
• Internet exposure
• Owner and patch window

2) Patch Firebox first, especially IKEv2/iked issues

If you run any affected Fireware versions in the 12.x or 2025.1 branches, patch to the resolved versions shown in the timeline.

Also:

• Review logs and indicators of attack for iked behavior.
• Rotate secrets if you confirmed suspicious activity, per WatchGuard guidance.

3) Reduce blast radius with segmentation and firewall rules

This matters most for SSO.

The SSO advisories repeatedly recommend restricting access to specific TCP ports between:

• Firebox ↔ Authentication Gateway
• Authentication Gateway ↔ SSO Client

Even if you patch later, restrict those ports now.
This blocks easy abuse inside flat networks.

4) Treat endpoint agent updates as security updates

Endpoint driver flaws and SYSTEM-level delete issues help attackers:

• Disable defenses
• Wipe artifacts
• Escalate privileges

Update EPDR/AD360/Dome to the resolved versions listed.

5) Audit browser extension deployment

If you use AuthPoint Password Manager, ensure Safari extension 1.0.6+. WatchGuard

Also check:

• Who can install extensions
• Whether you enforce managed browser policies
• Whether endpoints allow local admin