How to fix CVE-2025-11838?

Within 24 hours: Inventory all WatchGuard Fireware OS instances and identify those running versions 12.6.1-12.11.4 or 2025.1-2025.1.2 with IKEv2 VPN enabled; disable IKEv2 VPN if operationally feasible or restrict VPN gateway access via network ACLs. Within 7 days: Establish continuous monitoring for DoS patterns on affected devices; prepare rollback procedures and alternative VPN connectivity options. Within 30 days: Monitor WatchGuard security advisories for patch availability and test in non-production environments immediately upon release; deploy patches to production systems on a prioritized schedule based on VPN criticality.

Is Fireware affected by CVE-2025-11838?

WatchGuard firewall devices running vulnerable Fireware OS versions are exposed to unauthenticated denial-of-service attacks targeting VPN functionality, potentially disrupting remote worker connectivity and branch office operations.

CVE-2025-11838

EUVD-2025-201298 HIGH

2025-12-04 5d1c2695-1a31-4499-88ae-e847036fd7e3

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 16:35 euvd

EUVD-2025-201298

Analysis Generated

Mar 15, 2026 - 16:35 vuln.today

CVE Published

Dec 04, 2025 - 22:15 nvd

HIGH 7.5

Description

A memory corruption vulnerability in WatchGuard Fireware OS may allow an unauthenticated attacker to trigger a Denial of Service (DoS) condition in the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer. This vulnerability affects Fireware OS 12.6.1 up to and including 12.11.4 and 2025.1 up to and including 2025.1.2.

Analysis

This vulnerability affects Fireware OS 12.6.1 up to and including 12.11.4 and 2025.1 up to and including 2025.1.2.

Technical Context

A denial of service vulnerability allows an attacker to disrupt the normal functioning of a system, making it unavailable to legitimate users.

Affected Products

Affected products: Watchguard Fireware

Remediation

Implement rate limiting and input validation. Use timeout mechanisms for resource-intensive operations. Deploy DDoS protection where applicable.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +38

POC: 0

CVE-2025-11838 vulnerability details – vuln.today

Back

CVE-2025-11838

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-11838

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code