Critical RCE flaw exposes over 115,000 WatchGuard firewalls
▼ Summary
– Over 115,000 unpatched WatchGuard Firebox devices are exposed online and vulnerable to a critical, actively exploited remote code execution flaw (CVE-2025-14733).
– The vulnerability affects devices running specific Fireware OS versions and can be exploited remotely without authentication, primarily when configured for IKEv2 VPN.
– WatchGuard has released patches and a temporary workaround, while CISA has mandated federal agencies to apply fixes by a specific deadline due to active exploitation.
– Security monitoring by Shadowserver shows over 117,000 vulnerable instances remain exposed online following the patch release.
– This is part of a pattern, as WatchGuard devices have been targeted by similar critical vulnerabilities in recent years, prompting repeated federal directives to patch.
A significant number of internet-facing WatchGuard Firebox firewalls remain vulnerable to a critical security flaw that is already being used in active attacks. The vulnerability, identified as CVE-2025-14733, allows unauthenticated attackers to remotely execute arbitrary code on affected devices. This presents a severe risk to network security, as exploitation requires low complexity and no user interaction.
The flaw resides in the Fireware OS `iked` process, specifically an out-of-bounds write issue. It impacts Firebox models running Fireware OS versions 11.x and later, 12.x and later, and 2025.1 up to 2025.1.3. Importantly, an unpatched device is only susceptible if it is configured for IKEv2 VPN functionality. This includes both mobile user VPNs and branch office VPNs (BOVPN) configured with a dynamic gateway peer. WatchGuard has cautioned that even if vulnerable configurations are removed, a firewall may still be at risk if a BOVPN to a static gateway peer remains active.
In response to the active exploitation, WatchGuard has released security patches and provided detailed indicators of compromise to help organizations identify potentially breached appliances. For administrators who cannot apply updates immediately, the company suggests a temporary workaround. This involves disabling dynamic peer BOVPNs, adding new firewall policies, and disabling the default system policies that manage VPN traffic. Any firewall showing signs of compromise should have all locally stored secrets rotated immediately.
Internet scans by the Shadowserver Foundation revealed over 124,000 unpatched Firebox instances accessible online shortly after the disclosure, with the number still exceeding 117,000 the following day. The urgency of the situation was underscored when the U.S. Cybersecurity and Infrastructure Security Agency (CISA) swiftly added this flaw to its Known Exploited Vulnerabilities catalog. CISA mandated all federal civilian executive branch agencies to patch their vulnerable Firebox firewalls within one week, citing the significant risk such vulnerabilities pose as frequent attack vectors.
This incident follows a pattern of similar critical flaws in WatchGuard’s firewall products. In September, the company patched a nearly identical remote code execution vulnerability tracked as CVE-2025-9242, which later was found to affect tens of thousands of devices. CISA also flagged that earlier flaw as actively exploited. Two years prior, agencies were ordered to patch another exploited WatchGuard vulnerability, CVE-2022-23176. Given that WatchGuard’s technology protects the networks of hundreds of thousands of small and mid-sized businesses globally through its partner network, the widespread impact of such vulnerabilities is considerable.
(Source: Bleeping Computer)
