WatchGuard Vulnerabilities (2023–2025): What Got Hit, What Versions Were Vulnerable, and What to Patch Now
If you run WatchGuard, you run security infrastructure.
That also means attackers will target it first.
Firewalls, VPNs, SSO agents, endpoint agents, and password manager extensions sit close to identity and network trust. One missed patch can turn “secure edge” into “open door.”
This post highlights major WatchGuard vulnerabilities from the last two years (December 2023 through today, December 20, 2025) and gives you a clean timeline of vulnerable versions and fixed versions. It also explains what to do next, so you can reduce risk fast.
Why WatchGuard vulnerabilities matter more than “normal” software bugs
Attackers love edge and identity products for three reasons:
- They face the internet.
Firewalls and VPN gateways often accept inbound traffic by design. - They concentrate trust.
They authenticate users, route traffic, and enforce policies. - They enable lateral movement.
Once a threat actor lands on an edge device, they can pivot inside.
That is why vulnerabilities in WatchGuard Firebox (Fireware OS), VPN modules, and SSO components matter. One flaw can lead to remote code execution (RCE), credential exposure, service disruption, or silent access.
You will see that pattern clearly in the 2025 VPN/IKEv2 advisories. WatchGuard explicitly notes exploitation activity for the iked out-of-bounds write bugs. WatchGuard+1
The high-risk cluster: Fireware OS, IKEv2, and iked
WatchGuard’s Fireware OS issues in 2025 deserve special attention because they hit the VPN negotiation path.
CVE-2025-9242 (WGSA-2025-00015) — Critical, remote unauthenticated RCE risk
- WatchGuard describes an out-of-bounds write in the iked process. WatchGuard
- It impacts Mobile User VPN with IKEv2 and BOVPN using IKEv2 with a dynamic gateway peer. WatchGuard
- WatchGuard later added indicators of attack and stated evidence suggested active exploitation. WatchGuard
- Affected versions include Fireware OS 12.0 through 12.11.3 and 2025.1, plus older 11.x ranges. WatchGuard
- Fixes include 12.11.4 and 2025.1.1 (plus other branch fixes). WatchGuard
CVE-2025-14733 (WGSA-2025-00027) — Critical, remote unauthenticated RCE risk
This is another iked out-of-bounds write advisory, with WatchGuard reporting threat actors attempting exploitation in the wild. WatchGuard
It expands the affected window:
- Fireware OS 12.0 through 12.11.5 and 2025.1 through 2025.1.3. WatchGuard
- Fixes: 12.11.6 and 2025.1.4 (plus branch-specific fixes). WatchGuard
Takeaway:
If you use IKEv2 and have any dynamic gateway peer history, patching is not optional. Treat these like emergency updates.
The “quiet but deadly” cluster: SSO agent and client vulnerabilities
SSO components often live inside your network. That makes people dismiss them.
Don’t.
Once an attacker gets any foothold, SSO misconfigurations and protocol flaws can amplify damage. WatchGuard’s 2024 advisories in this area include critical authorization issues.
- CVE-2024-6592 (WGSA-2024-00014): Protocol authorization bypass between Authentication Gateway (SSO Agent) and SSO Client could allow forged communications and manipulation of account/group data. WatchGuard
- CVE-2024-6593 (WGSA-2024-00015): Telnet authentication bypass / incorrect authorization in SSO Agent could allow restricted management commands. WatchGuard
- CVE-2024-6594 (WGSA-2024-00016): DoS against Windows SSO Client via malformed commands. WatchGuard
These are not “internet RCE” bugs.
They are still dangerous in real environments.
Why?
- Many orgs allow broad east-west traffic.
- Attackers often gain internal access via phishing.
- Then they look for identity shortcuts.
Endpoint and client-side issues still matter (even if they are “local”)
Local privilege escalation (LPE) and kernel driver issues often require a foothold.
Attackers almost always get a foothold first.
WatchGuard endpoint advisories in 2024 included driver vulnerabilities (pskmad_64.sys) affecting EPDR and Panda-branded products:
- CVE-2023-6330 (WGSA-2024-00001): kernel pool memory corruption (DoS and possible SYSTEM-level code execution). Affected versions include EPDR/AD360 ≤ 8.00.22.0022; fixed in 8.00.22.0023. WatchGuard
- CVE-2023-6331 (WGSA-2024-00002): out-of-bounds write with similar affected/fixed versions. WatchGuard
- CVE-2023-6332 (WGSA-2024-00003): arbitrary kernel memory read; same affected/fixed versions listed. WatchGuard
Also:
- CVE-2024-8424 (WGSA-2024-00017): PSANHost.exe issue enabling arbitrary file delete as SYSTEM on Windows for EPDR/AD360/Dome below specified versions. WatchGuard
These bugs matter for:
- Ransomware staging
- Persistence
- EDR tampering
The “you forgot this was security software” cluster: Password manager extension
A password manager extension sits inches from credentials.
WatchGuard disclosed:
- CVE-2024-1417 (WGSA-2024-00006): local code injection in the AuthPoint Password Manager Safari extension for macOS versions before 1.0.6, fixed in 1.0.6. WatchGuard
Even though it is “local,” it still matters.
In real incidents, attackers chain local execution with credential theft.
Timeline: WatchGuard vulnerabilities and vulnerable versions (Dec 2023 → Dec 20, 2025)
Below is a practical patch-focused timeline. It prioritizes high/critical issues and widely deployed components.
Scope note: WatchGuard publishes many advisories. This timeline focuses on the issues most likely to impact real-world environments (Firebox/Fireware OS, VPN, SSO, endpoint agents, and AuthPoint Password Manager). For full coverage, always cross-check WatchGuard’s PSIRT advisory list.
| Date (Published) | Advisory / CVE | Product | Impact | Versions Vulnerable | Fixed / Resolved Versions |
|---|---|---|---|---|---|
| 2024-01-18 | WGSA-2024-00001 / CVE-2023-6330 | Endpoint (EPDR, Panda AD360, Panda Dome) | Medium | EPDR/AD360 ≤ 8.00.22.0022; Dome ≤ 22.02.00 | EPDR/AD360 8.00.22.0023; Dome 22.02.01 |
| 2024-01-18 | WGSA-2024-00002 / CVE-2023-6331 | Endpoint | High | EPDR/AD360 ≤ 8.00.22.0022; Dome ≤ 22.02.00 | EPDR/AD360 8.00.22.0023; Dome 22.02.01 |
| 2024-01-18 | WGSA-2024-00003 / CVE-2023-6332 | Endpoint | Medium | EPDR/AD360 ≤ 8.00.22.0022; Dome ≤ 22.02.00 | EPDR/AD360 8.00.22.0023; Dome 22.02.01 |
| 2024-03-26 | WGSA-2024-00006 / CVE-2024-1417 | AuthPoint Password Manager (Safari macOS) | High | Extension < 1.0.6 | 1.0.6 |
| 2024-06-27 | WGSA-2024-00011 / CVE-2024-5974 | Firebox (Fireware OS) | High | Fireware 11.9.4 → 12.5.12_Update1; 12.6 → 12.10.3 | 12.10.4; 12.5.12 Update 2 |
| 2024-09-25 | WGSA-2024-00014 / CVE-2024-6592 | SSO (Auth Gateway + clients) | Critical | Auth Gateway through 12.10.2; Windows client through 12.7; macOS client through 12.5.4 | WatchGuard lists mitigations/workarounds (port restrictions). |
| 2024-09-25 | WGSA-2024-00015 / CVE-2024-6593 | SSO (Auth Gateway) | Critical | Auth Gateway through 12.10.2 | WatchGuard lists mitigations/workarounds (port restrictions). |
| 2024-09-25 | WGSA-2024-00016 / CVE-2024-6594 | SSO (Windows client) | High | Windows SSO Client through 12.7 | WatchGuard lists mitigations/workarounds (port restrictions). |
| 2024-11-07 | WGSA-2024-00017 / CVE-2024-8424 | Endpoint (EPDR/AD360/Dome) | High | EPDR/AD360 < 8.00.23.0000; Dome < 22.03.00 | EPDR/AD360 8.00.23.0000; Dome 22.03.00 |
| 2025-09-17 (updated later) | WGSA-2025-00015 / CVE-2025-9242 | Firebox (Fireware OS / iked) | Critical | Fireware 12.0 → 12.11.3, 2025.1, plus specified 11.x ranges | 12.11.4, 2025.1.1, plus branch-specific fixes |
| 2025-10-29 | WGSA-2025-00016 / CVE-2025-1549 | Mobile VPN with SSL (Windows client) | Medium | Client ≤ 12.10.5 | Partially mitigated in 12.11.3, but advisory notes residual risk |
| 2025-12-04 | WGSA-2025-00018 / CVE-2025-11838 | Firebox (Fireware OS / iked) | High | Fireware 12.0 → 12.11.4; 2025.1 → 2025.1.2 | 12.11.5; 2025.1.3 |
| 2025-12-04 (updated 2025-12-19) | WGSA-2025-00020 / CVE-2025-12196 | Firebox (Fireware OS CLI) | High | Fireware 12.0 → 12.11.4; 12.5 → 12.5.13; 2025.1 → 2025.1.2 | 12.11.5; 12.5.14; 2025.1.3 |
| 2025-12-18 (updated 2025-12-19) | WGSA-2025-00027 / CVE-2025-14733 | Firebox (Fireware OS / iked) | Critical | Fireware 12.0 → 12.11.5; 2025.1 → 2025.1.3, plus specified 11.x ranges | 12.11.6; 12.5.15; 2025.1.4; FIPS branch updates listed |
What to do next (practical remediation checklist)
1) Inventory WatchGuard assets like an attacker would
Start with exposure and trust:
- Firebox appliances with VPN enabled
- IKEv2 configurations (dynamic gateway peer history matters)
- SSO Authentication Gateway / SSO clients
- Endpoint agents (EPDR / AD360 / Dome)
- AuthPoint Password Manager extension usage
You want a list of:
- Product
- Current version
- Internet exposure
- Owner and patch window
2) Patch Firebox first, especially IKEv2/iked issues
If you run any affected Fireware versions in the 12.x or 2025.1 branches, patch to the resolved versions shown in the timeline.
Also:
- Review logs and indicators of attack for iked behavior.
- Rotate secrets if you confirmed suspicious activity, per WatchGuard guidance.
3) Reduce blast radius with segmentation and firewall rules
This matters most for SSO.
The SSO advisories repeatedly recommend restricting access to specific TCP ports between:
- Firebox ↔ Authentication Gateway
- Authentication Gateway ↔ SSO Client
Even if you patch later, restrict those ports now.
This blocks easy abuse inside flat networks.
4) Treat endpoint agent updates as security updates
Endpoint driver flaws and SYSTEM-level delete issues help attackers:
- Disable defenses
- Wipe artifacts
- Escalate privileges
Update EPDR/AD360/Dome to the resolved versions listed.
5) Audit browser extension deployment
If you use AuthPoint Password Manager, ensure Safari extension 1.0.6+. WatchGuard
Also check:
- Who can install extensions
- Whether you enforce managed browser policies
- Whether endpoints allow local admin