Attacks on Watchguard Firebox and Gladinet Triofox observed

The US cybersecurity authority CISA is currently warning of ongoing attacks on security vulnerabilities in Watchguard Firebox and Gladinet Triofox. IT managers should promptly apply the available updates.

In addition to these two vulnerabilities, the CISA, in its announcement, has also added the already-attacked security vulnerability in the Windows kernel, which Microsoft on the November Patch Day with an update closed. Particularly new is the finding that attackers are targeting a security vulnerability in Watchguard's firewalls. This has been known since mid-September, and updates to close the vulnerability have been available since then. If the VPN function was ever activated on it, some models are susceptible to the injection and execution of malicious code – from the internet without prior authentication (CVE-2025-9242, CVSS4 9.3, Risk “critical.”) While around 7000 firewalls in Germany were vulnerable in mid-October, according to the daily updated figures from the Shadowserver Foundation, there are still 3600.

Code smuggling with file remote access

Gladinet Triofox is software that is intended to enable secure remote access to local files in companies without cloud synchronization or VPN. On Monday, a vulnerability was disclosed in it, through which, due to insufficient access controls, the initial setup pages can still be accessed after setup is complete (CVE-2025-12480, CVSS 9.1, Risk “critical.”) Version 16.7.10368.56560 or newer from Triofox closes the security gap. Mandiant discovered the vulnerability when IT security researchers investigated attacks by the UNC6485 group, which injected and executed malicious code after unauthorized access.

As usual, CISA provides no further information about the nature and scope of the attacks or even indicators of compromise (IOCs). IT managers should promptly apply the available updates.

(dmk)