WatchGuard sounds alarm as critical Firebox flaw comes under active attack

WatchGuard is in emergency patch mode after confirming that a critical remote code execution flaw in its Firebox firewalls is under active attack.

In an advisory published this week, the network security vendor warned customers that attackers are exploiting CVE-2025-32978, a 9.3-rated vulnerability affecting Firebox firewalls. The bug allows unauthenticated attackers to execute arbitrary commands remotely, effectively handing over control of the firewall if the device is reachable over the internet.

WatchGuard said the bug resides in the Fireware OS Internet Key Exchange (IKE) service and can be exploited remotely, without authentication, to execute arbitrary code on vulnerable Firebox devices. The vendor confirmed it has seen the flaw actively exploited in the wild and has released indicators of compromise to help customers assess whether they've been hit.

"This vulnerability affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a ...