Fireware v12.11.4 Release Notes
Brand: WatchGuard
Release Date: 17 September 2025
Revision: 18 September 2025
Fireware OS Build: 722644
WatchGuard System Manager Build: WSM v2025.1.1: 722949
WatchGuard AP Firmware: AP125, AP225W, AP325, AP327X, AP420: 11.0.0-36-4
Supported Devices
Firebox NV5, T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M4600, M4800, M5600, M5800, FireboxV, Firebox Cloud, WatchGuard AP
Introduction
Fireware v12.11.4 resolves a critical security issue in Fireware, making it crucial to upgrade to prevent exposure. This release also includes an updated Mobile VPN with SSL for Windows Client and additional bug fixes. For a comprehensive list of enhancements and resolved issues, refer to the "Enhancements and Resolved Issues" section or the "What's New in Fireware v12.11.4 PowerPoint."
With the release of Fireware v12.9, WatchGuard announced the deprecation of the WatchGuard Log Server, Report Server, and Quarantine Server. While WSM v12.11.x still includes these components, they are no longer supported in v12.9 and higher and will be removed in a future WSM release.
Before You Begin
Before installing this release, ensure you have the following:
- A supported WatchGuard Firebox (e.g., NV5, T20-T85, M270-M5800, FireboxV, Firebox Cloud).
- Required hardware and software components. If using WatchGuard System Manager (WSM), ensure your WSM version is equal to or higher than the Fireware OS version on your Firebox and the WSM version on your Management Server.
- A feature key for your Firebox. If upgrading from an earlier version, your existing key can be used. If you do not have one, it can be downloaded from the WatchGuard website.
- For upgrades to Fireware v12.x from v11.10.x or earlier, it is strongly recommended to review the Fireware v11.12.4 release notes for significant feature changes.
- Be aware of "Known Issues" that are particularly important before upgrading to or from specific Fireware versions. Refer to Release-specific upgrade notes for details.
Note: WatchGuard System Manager v2025.1.1 and its server components can be used with devices running earlier Fireware versions. However, it is recommended to use product software that matches your Fireware OS version.
For new Firebox installations, follow the instructions in the Quick Start Guide. For new FireboxV installations, consult Fireware Help in the WatchGuard Help Center and the Hardware Guide for your specific model. The Hardware Guide provides information on device interfaces and factory default settings.
Product documentation is available at: https://www.watchguard.com/wgrd-help/documentation
Enhancements and Resolved Issues in Fireware v12.11.4
Security Issues
- Resolves a critical security issue (CVE-2025-9242) discovered through internal testing. No indication of exploitation in the wild. Critical to upgrade to v12.11.4 to prevent exposure. Full advisory details available at psirt.watchguard.com. [WGSA-2025-00015]
General
- Resolves an HTTP-proxy memory leak issue. [FBX-28907]
- Updates the dnsmasq version to v2.90. [FBX-29558]
- Resolves an issue where Security Services Statistics logging was disabled when saving configuration from Policy Manager. [FBX-30162]
Resolved Issues in Mobile VPN with SSL Client for Windows v12.11.4
The Mobile VPN with SSL Client v12.11.4 includes bug fixes only. Mobile VPN with SSL is not affected by CVE-2025-9242.
- Mobile VPN with SSL Client SAML connections no longer fail after WebView2 v139 update. [FBX-30242]
- To support WatchGuard Patch Management updates, the Mobile VPN with SSL Client installer can now close a running client during an update. [FBX-29081]
- The log viewer no longer displays error messages when the Mobile VPN with SSL connection is successful. [FBX-29877, FBX-29733]
- Text boxes in the Mobile VPN with SSL Client UI now support the CTRL+A (Select All) keyboard shortcut. [FBX-30107]
Known Issues and Limitations
Known issues for Fireware v12.11.4 and its management applications, including workarounds, can be found on the Technical Search > Knowledge Base tab. To find issues for a specific release, use the Product & Version filters.
Some Known Issues are especially important to be aware of before upgrading. Refer to Release-specific upgrade notes for more information.
Download Software
Software can be downloaded from the WatchGuard Software Downloads Center. The following packages are available:
WatchGuard System Manager
Install WSM and WatchGuard Server Center software with: WSM_2025_1_1.exe. This file installs WSM v2025.1.1 or upgrades an earlier version.
Fireware OS
Fireware OS can be upgraded automatically via the Fireware Web UI (System > Upgrade OS) or WatchGuard Cloud. For upgrades via Policy Manager or from earlier versions, download the Fireware OS image:
- Use the
.exefile for WSM installation/upgrade. - Use the
.zipfile for manual installation/upgrade via Fireware Web UI. - Use the
.ovaor.vhdfile to deploy a new FireboxV device.
Software download file names include the product group (e.g., T20_T40 for Firebox T20 or T40).
Fireware OS Packages by Firebox Model
| If you have... | Select from these Fireware OS packages |
|---|---|
| Firebox M270/M370/M470/M570/M670 | Firebox_OS_M270_M370_M470_M570_M670_12_11_4.exe firebox_M270_M370_M470_M570_M670_12_11_4.zip |
| Firebox M290 | Firebox_OS_M290_12_11_4.exe firebox_M290_12_11_4.zip |
| Firebox M390 | Firebox_OS_M390_12_11_4.exe firebox_M390_12_11_4.zip |
| Firebox M590/M690 | Firebox_OS_M590_M690_12_11_4.exe firebox_M590_M690_12_11_4.zip |
| Firebox M4600/M5600 | Firebox_OS_M4600_M5600_12_11_4.exe firebox_M4600_M5600_12_11_4.zip |
| Firebox M4800/M5800 | Firebox_OS_M4800_M5800_12_11_4.exe firebox_M4800_M5800_12_11_4.zip |
| Firebox NV5 | Firebox_OS_NV5_12_11_4.exe firebox_NV5_12_11_4.zip |
| Firebox T20/T40 | Firebox_OS_T20_T40_12_11_4.exe firebox_T20_T40_12_11_4.zip |
| Firebox T25/T45 | Firebox_OS_T25_T45_12_11_4.exe firebox_T25_T45_12_11_4.zip |
| Firebox T55 | Firebox_OS_T55_12_11_4.exe firebox_T55_12_11_4.zip |
| Firebox T70 | Firebox_OS_T70_12_11_4.exe firebox_T70_12_11_4.zip |
| Firebox T80 | Firebox_OS_T80_12_11_4.exe firebox_T80_12_11_4.zip |
| Firebox T85 | Firebox_OS_T85_12_11_4.exe firebox_T85_12_11_4.zip |
| FireboxV (All editions for VMware) | FireboxV_12_11_4.ova Firebox_OS_FireboxV_12_11_4.exe firebox_FireboxV_12_11_4.zip |
| FireboxV (All editions for Hyper-V) | FireboxV_12_11_4.vhd.zip Firebox_OS_FireboxV_12_11_4.exe firebox_FireboxV_12_11_4.zip |
| Firebox Cloud | Firebox_OS_FireboxCloud_12_11_4.exe fireboxCloud_12_11_4.zip |
Additional Firebox Software
These files are necessary for key features but are not directly used by the Firebox or for Firebox management. File names typically include the current Fireware version at the time of release.
| File name | Description | Updated in this release |
|---|---|---|
| WG-Authentication-Gateway_12_10_2.exe | Single Sign-On Agent software - required for Single Sign-On and includes optional Event Log Monitor for clientless SSO. | No |
| WG-Authentication-Client_12_7.msi | Single Sign-On Client software for Windows. | No |
| WG-SSOCLIENT-MAC_12_5_4.dmg | Single Sign-On Client software for macOS. | No |
| SSOExchangeMonitor_x86_12_10.exe | Exchange Monitor for 32-bit operating systems. | No |
| SSOExchangeMonitor_x64_12_10.exe | Exchange Monitor for 64-bit operating systems. | No |
| TO_AGENT_SETUP_12_11_2.exe | Terminal Services software for both 32-bit and 64-bit systems. | No |
| WG-MVPN-SSL_12_11_4.exe | Mobile VPN with SSL Client for Windows. | Yes |
| WG-MVPN-SSL_12_11_2.dmg | Mobile VPN with SSL Client for macOS. | No |
| WG-Mobile-VPN_Windows_x86-64_1519_29720.exe¹ | WatchGuard IPSec Mobile VPN Client for Windows (64-bit), powered by NCP². | No |
| WatchGuard_Mobile_VPN_x86-64_473_30031.dmg¹ | WatchGuard IPSec Mobile VPN Client for macOS, powered by NCP². | No |
| Watchguard_MVLS_Win_x86-64_200_rev19725.exe¹ | WatchGuard Mobile VPN License Server (MVLS) v2.0, powered by NCP³. | No |
¹ The version number in this file name does not match any Fireware version number.
² There is a license required for this premium client, with a 30-day free trial available with download.
³ Click here for more information about MVLS. If you have a VPN bundle ID for macOS, it must be updated on the license server to support the macOS 3.00 or higher client. To update your bundle ID, contact WatchGuard Customer Support. Make sure to have your existing bundle ID available to expedite the update.
⁴ SSO Agent v12.10.2 supports Fireware v12.5.4 or higher only. Before you install SSO Agent v12.10.2, you must upgrade the Firebox to Fireware v12.5.4 or higher. If you install SSO Agent v12.10.2, we recommend that you upgrade all SSO Clients to v12.7. You cannot use SSO Client v12.7 with versions of the SSO Agent lower than v12.5.4. Fireware v12.11 supports previous versions of the SSO Agent.
Upgrade to Fireware v12.11.4
Important information about the upgrade process:
- You can use WatchGuard Cloud, Fireware Web UI, or Policy Manager to upgrade your Firebox.
- It is strongly recommended to save a local copy of your Firebox configuration and create a Firebox backup image before upgrading.
- If using WatchGuard System Manager (WSM), ensure your WSM version is equal to or higher than the Fireware OS version on your Firebox and the WSM version on your Management Server. Upgrade WSM before upgrading Fireware OS.
- In Fireware v12.6.2 and higher, Fireware Web UI prevents adding users with reserved names to the Firebox-DB authentication server. Delete or replace any user with a reserved name before upgrading to v12.6.2 or higher. Refer to "Reserved Firebox-DB authentication server user names" for more information.
- In Fireware v12.7 and higher, new authentication servers cannot be named AuthPoint. If an existing server is named AuthPoint, it will be renamed to AuthPoint.1 upon upgrade to v12.7 or higher, or when using WSM v12.7 or higher with a Firebox running v12.6.x or lower.
Back Up Your WatchGuard Servers
Uninstalling previous server or client software is not usually necessary when upgrading to WSM v12.x. You can install v12.x software over existing installations. However, it is strongly recommended to back up your WatchGuard Servers (e.g., Management Server) before upgrading. These backups are needed for downgrading.
For instructions on backing up your Management Server configuration, refer to Fireware Help.
Upgrade to Fireware v12.11.4 from WatchGuard Cloud
You can upgrade firmware for a Firebox running Fireware v12.5.2 or higher from WatchGuard Cloud. Refer to "Upgrade Firmware from WatchGuard Cloud" in WatchGuard Cloud Help.
Upgrade to Fireware v12.11.4 from Fireware Web UI
Upgrade Fireware OS via the System > Upgrade OS page. For manual upgrades, refer to "Upgrade Fireware OS or WatchGuard System Manager" in Fireware Help.
If your Firebox runs Fireware v11.9.x or lower, follow the steps in this knowledge base article.
If another release of this OS version is installed on your computer, run the installer twice: once to remove the previous release, and again to install this release.
Upgrade to Fireware v12.11.4 from WSM/Policy Manager
To upgrade from WSM/Policy Manager, refer to "Upgrade Fireware OS or WatchGuard System Manager" in Fireware Help.
If you have installed another release of this OS version on your computer, you must run the installer twice (once to remove the previous release and again to install this release).
If you want to make updates to your Firebox configuration from a saved configuration file, open the configuration from the Firebox and save it to a new file after you upgrade. This ensures that configuration changes made during the upgrade are not overwritten.
Update Access Points
All access point (AP) firmware is managed by the Gateway Wireless Controller on your Firebox. The controller automatically checks for new AP firmware updates and allows direct download from WatchGuard servers.
As of Fireware v12.11, only AP125, AP225W, AP325, AP327X, AP420 devices running the latest v11.0.0-36-4 AP firmware are supported by the Gateway Wireless Controller. Upgrade to the latest AP firmware before upgrading to Fireware v12.11 or higher.
AP Firmware Upgrade
To manage AP firmware and download the latest AP firmware to your Firebox:
- From Fireware Web UI, select Dashboard > Gateway Wireless Controller. On the Summary tab, click Manage Firmware.
- From Firebox System Manager, select the Gateway Wireless Controller tab, then click Manage Firmware.
If automatic AP firmware updates are enabled in Gateway Wireless Controller, APs update automatically between midnight and 4:00 AM local time.
To manually update firmware on your APs:
- On the Access Points tab, select one or more APs.
- From the Actions drop-down list, click Upgrade.
- Click Yes to confirm the upgrade.
Upgrade a FireCluster to Fireware v12.11.4
Fireware for a FireCluster can be upgraded from Policy Manager or Fireware Web UI. For FireClusters running Fireware v11.10.x or lower, Policy Manager is recommended.
During the upgrade process, each cluster member reboots and rejoins the cluster. Since load balancing is unavailable during member reboots, it is recommended to upgrade an active/active cluster during periods of lightest network traffic.
For detailed instructions on upgrading your FireCluster, refer to this Help topic.
Fireware v12.11.4 Operating System Compatibility Matrix
Last reviewed: 17 September 2025
| WSM/ Fireware Component | Microsoft Windows 10, 11 | Microsoft Windows Server 2019, 2022, & 2025 | macOS v10.14, v10.1
Related Documents
|
|---|
