CVE-2025-9242 update for unmanaged devices?
We've all gotten the emails about this CVE and the need to update our devices to remediate the issue, but in the email it makes reference to "unmanaged" devices out of subscription, and it says WatchGuard would contact us with information about updating those devices separately. Okay, HOW?
I just spoke with someone at support who told me that they are not providing any fixes for boxes out of support contracts, even though this is a critical CVE. This seems contrary to what most providers have been doing. As a reseller, we have numerous devices that are not EOL, and often just out of LS, or NFRs - all that we are still using for internal testing/training, and still have use to us. I understand nobody wants to support devices forever, but many of these devices are not that old, and as a reseller who has been selling your products for more than a decade, I am somewhat disappointed in this response.
Can we get some clarification on what the critical CVE patching availability policy is with WatchGuard, and what those of us with these unmanaged devices are supposed to do about these critical issues?
Comments
I agree. We have training boxes, testing boxes, and this, not to mention, is a very high CVSS 9.3. This would be a disservice to the partners who maintain these boxes for these purposes! I opened a support ticket, but I haven't received a response yet. The WG should, at least for its partners, have a temporary key to fix this vulnerability, since it is responsible for this security breach.