CVE-2025-11838: WatchGuard Fireware OS DoS Vulnerability

CVE-2025-11838 Overview

CVE-2025-11838 is a memory corruption vulnerability in WatchGuard Fireware OS that affects the IKEv2 implementation used by Mobile User VPN and Branch Office VPN. An unauthenticated remote attacker can trigger a Denial of Service (DoS) condition against the firewall when Branch Office VPN with IKEv2 is configured with a dynamic gateway peer, or when Mobile User VPN with IKEv2 is enabled. The flaw is classified as [CWE-763] (Release of Invalid Pointer or Reference). Affected versions include Fireware OS 12.6.1 through 12.11.4 and 2025.1 through 2025.1.2, spanning the full Firebox T-series, M-series, NV5, FireboxV, and FireboxCloud product lines.

Critical Impact

Unauthenticated network attackers can crash the IKEv2 VPN service on WatchGuard Firebox appliances, disrupting site-to-site and remote-user VPN connectivity.

Affected Products

• WatchGuard Fireware OS versions 12.6.1 through 12.11.4
• WatchGuard Fireware OS versions 2025.1 through 2025.1.2
• Firebox T-series, M-series, NV5, FireboxV, and FireboxCloud hardware and virtual appliances

Discovery Timeline

• 2025-12-04 - CVE-2025-11838 published to NVD
• 2025-12-16 - Last updated in NVD database

Technical Details for CVE-2025-11838

Vulnerability Analysis

The vulnerability resides in the Internet Key Exchange version 2 (IKEv2) handler within Fireware OS. IKEv2 is the protocol responsible for negotiating IPsec Security Associations for both Mobile User VPN (remote access) and Branch Office VPN (site-to-site) tunnels. When the IKEv2 daemon processes specific network input during peer negotiation, it mishandles a pointer or memory reference, producing a memory corruption condition. The corruption causes the VPN service to terminate, denying legitimate VPN connectivity until the service or appliance recovers.

The issue is reachable in two configurations: any Firebox with Mobile User VPN over IKEv2 enabled, and any Firebox running Branch Office VPN with IKEv2 where the remote peer is defined as a dynamic gateway. Dynamic gateway peers accept connections from arbitrary source addresses, which broadens the attack surface to any host that can reach UDP port 500 or 4500 on the firewall.

Root Cause

The root cause is improper memory management within the IKEv2 protocol parsing path, mapped to [CWE-763] Release of Invalid Pointer or Reference. The IKEv2 service operates with an invalid pointer during normal processing, leading to abnormal termination. WatchGuard has not published low-level technical details about the specific code path responsible.

Attack Vector

The attack vector is fully remote and unauthenticated. An attacker sends crafted IKEv2 negotiation traffic to UDP/500 or UDP/4500 on a vulnerable Firebox configured with Mobile User VPN IKEv2 or a Branch Office VPN dynamic-peer profile. No user interaction or credentials are required. Successful exploitation impacts availability only — confidentiality and integrity are not affected. Refer to the WatchGuard Security Advisory WGSA-2025-00018 for vendor-supplied technical context.

Detection Methods for CVE-2025-11838

Indicators of Compromise

• Unexpected restarts or crashes of the iked or IKEv2 daemon process on Firebox appliances
• Sudden drops of established Branch Office VPN tunnels using IKEv2 with dynamic peers
• Mobile User VPN clients failing IKE_SA_INIT or IKE_AUTH exchanges in bursts from a single source
• Bursts of malformed IKEv2 packets on UDP/500 or UDP/4500 from untrusted source addresses

Detection Strategies

• Monitor Fireware diagnostic logs for IKEv2 service termination, segmentation faults, or watchdog-triggered restarts
• Alert on repeated IKE_SA_INIT failures or anomalous IKEv2 packet patterns from non-whitelisted sources
• Correlate VPN service outages with inbound traffic spikes on UDP/500 and UDP/4500

Monitoring Recommendations

• Forward Firebox syslog data to a centralized SIEM and build alerts for iked process anomalies and tunnel-renegotiation storms
• Track VPN availability metrics (tunnel up/down events, client authentication failures) to identify service-level disruption quickly
• Enable NetFlow or packet capture on the firewall external interfaces to retain evidence of the triggering IKEv2 traffic

How to Mitigate CVE-2025-11838

Immediate Actions Required

• Identify all Fireboxes running Fireware OS 12.6.1–12.11.4 or 2025.1–2025.1.2 and inventory their VPN configurations
• Upgrade Fireware OS to a fixed release as published in WatchGuard Security Advisory WGSA-2025-00018
• For Branch Office VPN deployments, prefer static gateway peers with explicit source IP allow-listing where operationally feasible
• Restrict inbound UDP/500 and UDP/4500 to known VPN peers and remote-user network ranges using upstream ACLs

Patch Information

WatchGuard has published fixed Fireware OS releases through advisory WGSA-2025-00018. Administrators should consult the WatchGuard Security Advisory for the exact patched versions corresponding to the 12.x and 2025.x branches and apply the upgrade via WatchGuard System Manager or the Web UI.

Workarounds

• Temporarily disable Mobile User VPN with IKEv2 if remote-access requirements can be met via another VPN type until patching is complete
• Replace Branch Office VPN dynamic gateway peers with static-IP peers where the remote endpoint has a fixed address
• Apply geofencing or source-IP filtering on UDP/500 and UDP/4500 to reduce exposure to untrusted networks

# Example: restrict IKEv2 ports to known peer subnets at an upstream router
# (Reference syntax — adapt to your environment)
access-list VPN_PEERS permit udp host 203.0.113.10 any eq 500
access-list VPN_PEERS permit udp host 203.0.113.10 any eq 4500
access-list VPN_PEERS deny   udp any any eq 500
access-list VPN_PEERS deny   udp any any eq 4500