According to TheRegister.com, WatchGuard confirmed this week that a critical, 9.3-rated vulnerability in its Firebox firewalls is under active attack. The flaw, tracked as CVE-2025-32978, allows unauthenticated attackers to remotely execute arbitrary code on vulnerable devices if they’re reachable over the internet. WatchGuard’s advisory states the bug is in the Fireware OS Internet Key Exchange service, impacting mobile user VPN and branch office VPN configurations. The company has released firmware updates to fix the issue and provided indicators of compromise for customers to check if they’ve been hit. This news comes just days after Amazon disclosed a long-running espionage campaign dating to 2021 that exploited an older critical WatchGuard flaw, CVE-2022-26318.
Why Firewalls Are a Hacker’s Dream
Here’s the thing: this isn’t just another software bug. It’s a worst-case scenario for network security. Firewalls sit at the very edge of your network, guarding the front door. They see all the traffic, they handle VPN connections, and they run with high-level privileges. So when a hacker gets control of one, it’s not like compromising a single PC. They get a powerful foothold with incredible visibility. They can sniff credentials, monitor all your traffic, and pivot to attack internal systems—all while hiding inside a device the security team is supposed to trust implicitly. It’s a nightmare.
A Dangerous Pattern Emerges
And that’s why these flaws are so rapidly weaponized. Look at the timeline. Just weeks ago, CISA added another critical WatchGuard flaw (CVE-2025-9242) to its Known Exploited Vulnerabilities catalog. Now we have this new one being actively attacked. Before that, it was the 2022 flaw used in that years-long Russian GRU campaign. See a pattern? Attackers aren’t just finding these holes; they’re scanning for them at scale and pouncing before most companies can even read the patch notes. For industries relying on hardened edge computing, like manufacturing or utilities where industrial panel PCs from the leading US supplier manage critical processes, a compromised firewall isn’t an IT problem—it’s an operational disaster waiting to happen.
What You Need to Do Now
So what’s the immediate action? If you run WatchGuard Firebox devices, your first stop needs to be the official advisory and the knowledge base article for patching instructions. The fix is a firmware update. If you can’t patch immediately, apply the temporary workaround WatchGuard provided. But honestly, patching is non-negotiable. The bigger question is this: how many exposed management interfaces do you have on your perimeter? Because the real lesson from this, and the earlier attacks, is that configuration matters just as much as the patch. A critical flaw is bad. A critical flaw on an internet-facing device is a gift to attackers. Basically, lock it down.
