WatchGuard Patches Actively Exploited Critical Fireware OS Vulnerability (CVE-2025-14733)
WatchGuard has released emergency patches for a critical security flaw in Fireware OS (CVE-2025-14733, CVSS 9.3) that has been exploited in real-world attacks. The vulnerability, an out-of-bounds write in the iked process, allows remote unauthenticated attackers to execute arbitrary code on affected systems.
The flaw impacts Fireware OS configurations using IKEv2 for mobile user VPNs or branch office VPNs (BOVPNs) with dynamic gateway peers. Even if these configurations were later deleted, devices may remain vulnerable if a BOVPN with a static gateway peer is still active. Affected versions include:
- 2025.1 (fixed in 2025.1.4)
- 12.x (fixed in 12.11.6)
- 12.5.x (T15 & T35 models) (fixed in 12.5.15)
- 12.3.1 (FIPS-certified) (fixed in 12.3.1_Update4)
- 11.x (11.10.2–11.12.4_Update1) (end-of-life, no patch available)
WatchGuard confirmed active exploitation attempts, with attacks traced to the IP address 199.247.7[.]82—the same address linked to recent Fortinet FortiOS vulnerabilities (CVE-2025-59718, CVE-2025-59719). Indicators of compromise (IoCs) include:
- Logs showing rejected IKE2 certificate chains exceeding 8 certificates.
- IKE_AUTH requests with abnormally large CERT payloads (>2000 bytes).
- iked process crashes or hangs, disrupting VPN connections.
This disclosure follows CISA’s addition of another critical WatchGuard flaw (CVE-2025-9242, CVSS 9.3) to its Known Exploited Vulnerabilities (KEV) catalog last month, though no direct link between the two campaigns has been established.
As a temporary mitigation, administrators can disable dynamic peer BOVPNs, restrict access to static IP peers via firewall policies, and disable default VPN traffic policies. Patches should be applied immediately to mitigate risk.
Source: https://thehackernews.com/2025/12/watchguard-warns-of-active-exploitation.html
WatchGuard Technologies cybersecurity rating report: https://www.rankiteo.com/company/watchguard-technologies
"id": "WAT1766159772",
"linkid": "watchguard-technologies",
"type": "Vulnerability",
"date": "12/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Users of WatchGuard Firebox '
'devices with vulnerable '
'Fireware OS versions',
'industry': 'Cybersecurity',
'location': 'Seattle, USA',
'name': 'WatchGuard',
'type': 'Vendor/Technology Provider'}],
'attack_vector': 'Network',
'customer_advisories': 'Users are advised to apply patches immediately and '
'monitor for signs of exploitation.',
'description': 'WatchGuard has released fixes to address a critical security '
'flaw in Fireware OS that has been exploited in real-world '
'attacks. Tracked as CVE-2025-14733 (CVSS score: 9.3), the '
'vulnerability is an out-of-bounds write affecting the iked '
'process, allowing remote unauthenticated attackers to execute '
'arbitrary code. The flaw impacts mobile user VPN with IKEv2 '
'and branch office VPN using IKEv2 when configured with a '
'dynamic gateway peer.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'active exploitation',
'downtime': 'VPN connections interrupted during exploit; iked '
'process crash',
'operational_impact': 'VPN service disruption, potential arbitrary '
'code execution',
'systems_affected': 'WatchGuard Firebox devices running vulnerable '
'Fireware OS versions'},
'investigation_status': 'Ongoing',
'post_incident_analysis': {'corrective_actions': 'Patches to fix the '
'out-of-bounds write '
'vulnerability; temporary '
'mitigation steps for '
'unpatched systems',
'root_causes': 'Out-of-bounds write vulnerability '
'in iked process due to improper '
'handling of IKE2 Auth payload with '
'excessive certificates'},
'recommendations': 'Apply patches immediately; disable dynamic peer BOVPNs if '
'patches cannot be applied; monitor for IoCs; review VPN '
'configurations for vulnerabilities.',
'references': [{'source': 'WatchGuard Advisory'},
{'source': 'Arctic Wolf Report on Fortinet Exploitation'}],
'response': {'communication_strategy': 'Public advisory released with IoCs '
'and mitigation steps',
'containment_measures': 'Patches released for affected Fireware '
'OS versions; temporary mitigation steps '
'provided',
'enhanced_monitoring': 'Monitor for abnormal IKE_AUTH request '
'log messages and iked process crashes',
'remediation_measures': 'Apply Fireware OS updates (2025.1.4, '
'12.11.6, 12.5.15, 12.3.1_Update4); '
'disable dynamic peer BOVPNs as '
'temporary mitigation'},
'stakeholder_advisories': 'WatchGuard has released advisories with IoCs and '
'mitigation steps for affected customers.',
'title': 'Critical Security Flaw in WatchGuard Fireware OS (CVE-2025-14733) '
'Exploited in the Wild',
'type': 'Remote Code Execution (RCE)',
'vulnerability_exploited': 'CVE-2025-14733 (Out-of-bounds write in iked '
'process)'}