CVE-2025-9242 update for unmanaged devices?

ITPartnersITPartners
in Firebox - Other

We've all gotten the emails about this CVE and the need to update our devices to remediate the issue, but in the email it makes reference to "unmanaged" devices out of subscription, and it says WatchGuard would contact us with information about updating those devices separately. Okay, HOW?

I just spoke with someone at support who told me that they are not providing any fixes for boxes out of support contracts, even though this is a critical CVE. This seems contrary to what most providers have been doing. As a reseller, we have numerous devices that are not EOL, and often just out of LS, or NFRs - all that we are still using for internal testing/training, and still have use to us. I understand nobody wants to support devices forever, but many of these devices are not that old, and as a reseller who has been selling your products for more than a decade, I am somewhat disappointed in this response.

Can we get some clarification on what the critical CVE patching availability policy is with WatchGuard, and what those of us with these unmanaged devices are supposed to do about these critical issues?

Comments

  • AndersonSantosAndersonSantos

    I agree. We have training boxes, testing boxes, and this, not to mention, is a very high CVSS 9.3. This would be a disservice to the partners who maintain these boxes for these purposes! I opened a support ticket, but I haven't received a response yet. The WG should, at least for its partners, have a temporary key to fix this vulnerability, since it is responsible for this security breach.

  • ITPartnersITPartners
    How are you able to submit a ticket? We tried several times but it kept telling us that the serial number wasn't associated with an active subscription. And yes, this is very disappointing coming from a company I haven't hesitated to refer to anyone for more than a decade. Even greedy VMware still provides patches for out of support products when the cve is this critical. Have you tried contacting your representative yet? That's my next step
  • PhilT_VITPhilT_VIT

    @AndersonSantos said:
    The WG should, at least for its partners, have a temporary key to fix this vulnerability, since it is responsible for this security breach.

    The last time I recall this happening was when the Cyclops Blink issue was prevalent, and back then WatchGuard coded specific updates to not require active LiveSupport in the licence key (it still needed a licence key to be present).

    @ITPartners said:
    How are you able to submit a ticket? We tried several times but it kept telling us that the serial number wasn't associated with an active subscription.

    Haven't checked recently but I think the support portal for WatchGuard partners lets them put in any serial number since they're more likely to be dealing with devices that aren't registered to them.

    Personally I have an older T35-W registered on my own account that would fall in this category - curious to see how they handle devices like that (it's a lab device for me).

  • ITPartnersITPartners

    I reached out to the channel partner group, and basically they couldn't care less. They just ignored me. One of the support people basically said "well, T series NFR replacements aren't that expensive, this is going to be an uphill battle.." to which I reminded him that we have numerous 5xx and 6xx series devices, and no, they aren't inexpensive at all..

    I'm really disappointed with the direction WG has gone. It seems like they just want to be another SAAS type of company now. If my clients wanted that kind of wastefulness, I'd just sell meraki. At least they don't pretend to screw people over every year.

Sign In to comment.