Critical WatchGuard Firebox Flaw Actively Exploited in Attacks
▼ Summary
– WatchGuard warns of a critical, actively exploited RCE vulnerability (CVE-2025-14733) in its Firebox firewalls, requiring immediate patching.
– The flaw is an out-of-bounds write issue affecting Fireware OS 11.x, 12.x, and 2025.1.x, allowing unauthenticated remote code execution.
– Devices are vulnerable if configured for IKEv2 VPN, and may remain at risk even after deleting certain VPN configurations if a static gateway peer BOVPN is still active.
– The company provides a temporary workaround for vulnerable BOVPN configurations and indicators of compromise to check for device breaches.
– This follows a pattern of similar RCE flaws in WatchGuard firewalls, with previous vulnerabilities also being actively exploited and mandated for patching by CISA.
A critical security vulnerability in WatchGuard Firebox firewalls is now under active exploitation, prompting an urgent call for administrators to apply patches. The flaw, identified as CVE-2025-14733, allows attackers to remotely execute malicious code on affected devices. This remote code execution (RCE) vulnerability stems from an out-of-bounds write issue and can be exploited without authentication in attacks that are relatively simple to carry out.
The vulnerability impacts firewalls running specific versions of Fireware OS. This includes versions 11.x and later, such as 11.12.4_Update1, versions 12.x and later including 12.11.5, and the 2025.1 series up to and including 2025.1.3. While the primary attack vector involves systems configured to use the IKEv2 VPN protocol, WatchGuard has clarified that the risk may persist even after deleting certain configurations. If a device was previously set up for a mobile user VPN or a branch office VPN using IKEv2 with a dynamic gateway peer, and those settings were removed, the firewall could still be vulnerable if a branch office VPN to a static gateway peer remains active.
WatchGuard has confirmed observing active exploitation attempts in the wild, making immediate remediation essential. For organizations unable to patch immediately, a temporary workaround is available. This involves disabling dynamic peer Branch Office VPNs (BOVPNs), creating new firewall policies, and turning off the default system policies that manage VPN traffic. This measure is crucial for buying time until a permanent patch can be applied.
A wide range of Firebox models are affected across different product branches. Vulnerable devices include the T-series models like the T15, T35, T20, and T45, M-series appliances such as the M270, M370, and M470, as well as the Firebox Cloud, Firebox NV5, and FireboxV virtual appliances. To assist with incident response, WatchGuard has provided indicators of compromise. Customers are advised to check their devices for any signs of intrusion and, if found, to immediately rotate all locally stored credentials and secrets on the compromised appliances.
This incident is part of a concerning pattern for WatchGuard’s firewall products. Just last September, the company addressed a nearly identical RCE flaw tracked as CVE-2025-9242. Within a month, security researchers identified over 75,000 firewalls exposed to that vulnerability globally, with concentrations in North America and Europe. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) later added that flaw to its catalog of known exploited vulnerabilities, mandating federal agencies to secure their systems.
Further back, CISA issued a similar directive in 2022 for another actively exploited WatchGuard firewall vulnerability (CVE-2022-23176). Given that WatchGuard’s technology secures the networks of hundreds of thousands of small and medium-sized businesses worldwide through its extensive partner network, these recurring critical flaws represent a significant and widespread security concern that demands vigilant patch management.
(Source: NewsAPI Cybersecurity & Enterprise)
