Critical WatchGuard VPN Flaw Actively Exploited
▼ Summary
– WatchGuard has patched a critical, actively exploited vulnerability (CVE-2025-14733) in Fireware OS that allows remote code execution via an out-of-bounds write in the iked process.
– The flaw specifically affects systems using mobile user VPN or branch office VPN with IKEv2 and a dynamic gateway peer, and may persist even if those configurations were deleted.
– The vulnerability impacts multiple Fireware OS versions, with fixes available for most, though the 11.x series is end-of-life and remains vulnerable.
– Indicators of compromise include specific log messages about certificate chains, abnormally large payloads, and the iked process hanging or crashing.
– As a temporary mitigation, administrators should disable dynamic peer BOVPNs and adjust firewall policies, but applying the provided updates is the primary recommendation.
A critical vulnerability in WatchGuard’s Fireware OS is now under active exploitation, requiring immediate attention from network administrators. The flaw, identified as CVE-2025-14733, carries a severe CVSS score of 9.3. It stems from an out-of-bounds write issue within the iked process. This weakness could permit a remote attacker, without needing any authentication, to run arbitrary code on affected systems. The company confirmed it has already observed real-world attacks leveraging this security gap.
This specific vulnerability impacts systems using mobile user VPN with IKEv2 or a branch office VPN with IKEv2 configured to a dynamic gateway peer. WatchGuard’s advisory notes an important nuance: even if these configurations were previously set up and later deleted, a Firebox may remain vulnerable if a branch office VPN to a static gateway peer is still active. This makes thorough configuration review essential.
Patches are available across several supported versions of Fireware OS. The fixed releases are 2025.1.4, 12.11.6, and 12.5.15 for T15 and T35 models. For the FIPS-certified 12.3.1 release, the fix is included in update 12.3.1_Update4 (B728352). Notably, the 11.x branch (from 11.10.2 up to 11.12.4_Update1) is end-of-life and will not receive a patch, leaving those systems permanently exposed.
The active exploitation is linked to specific IP addresses, including 199.247.7[.]82. This same address was recently connected by security researchers to attacks exploiting critical flaws in Fortinet products. The overlap suggests potential coordination or tool reuse among threat actors targeting network perimeter devices.
Administrators should look for several indicators of compromise (IoCs). These include a specific log message about a peer certificate chain longer than 8 certificates, IKE_AUTH request logs showing abnormally large CERT payloads exceeding 2000 bytes, the iked process hanging and disrupting VPN connections, and the generation of a fault report following an IKED process crash.
This disclosure follows closely on the heels of another critical WatchGuard flaw, CVE-2025-9242, which was recently added to CISA’s Known Exploited Vulnerabilities catalog. While a direct connection between these two exploitation campaigns is not yet confirmed, the pattern highlights persistent targeting of these network security appliances.
For devices that cannot be patched immediately, especially those with vulnerable Branch Office VPN setups, a temporary mitigation is available. The recommended steps are to disable dynamic peer BOVPNs, create an alias containing the static IP addresses of remote BOVPN peers, establish new firewall policies granting access from this alias, and then disable the default built-in policies that manage VPN traffic. However, applying the official security updates remains the only definitive solution to eliminate this serious threat.
(Source: The Hacker News)
