Urgent: WatchGuard Firewalls Targeted by Critical Attack (CVE-2025-14733)
▼ Summary
– Over 115,000 internet-facing WatchGuard Firebox firewalls are vulnerable to CVE-2025-14733, a remote code execution flaw being actively exploited.
– The vulnerability is an out-of-bounds write in the Fireware OS’s IKE daemon, allowing unauthenticated attackers to execute arbitrary code remotely.
– It affects multiple Fireware OS versions, including v2025.1, v12.x, and v11.x, and impacts VPN configurations using IKEv2.
– The US cybersecurity agency CISA has mandated federal agencies to patch the flaw by December 26, urging all users to upgrade to fixed OS versions.
– Indicators of compromise include the IKED process hanging or crashing, and WatchGuard advises updating the OS and rotating all device secrets if compromised.
A significant security threat is currently targeting widely used network security appliances. Security researchers have identified active exploitation attempts against more than 115,000 internet-exposed WatchGuard Firebox firewalls. This campaign leverages a critical remote code execution flaw, tracked as CVE-2025-14733, which allows attackers to run arbitrary code without requiring authentication from a user.
The vulnerability resides within the Fireware OS, the specialized operating system running on these firewall and VPN devices. Specifically, the flaw is an out-of-bounds write issue in the IKED process. This daemon is responsible for managing the Internet Key Exchange protocol, which negotiates and authenticates VPN tunnels. Because the weakness exists in a core networking service, it presents a severe risk, enabling remote attackers to potentially take full control of the affected device.
WatchGuard initially disclosed this critical issue in mid-December, noting that threat actors were already attempting to exploit it as part of a broader assault on edge networking equipment from multiple vendors. The affected software versions include Fireware OS v2025.1, v12.x, v12.5.x on specific T15 and T35 models, v12.3.1 (a FIPS-certified release), and the older v11.x branch. The company provided important clarification, warning that devices remain vulnerable even if certain VPN configurations have been deleted, as long as a branch office VPN to a static gateway peer is still active.
The urgency of the situation is underscored by action from the US Cybersecurity and Infrastructure Security Agency (CISA), which has added CVE-2025-14733 to its Known Exploited Vulnerabilities catalog. Federal civilian agencies have been directed to apply patches by a late December deadline. For all other users, the imperative is to upgrade immediately to a patched version of Fireware OS. The fixed versions are v2025.1.4, v12.11.6, v12.5.15, or 12.3.1_Update4.
Organizations must also check for signs of compromise. WatchGuard has shared specific IP addresses linked to malicious activity and key log indicators. A strong sign of attack is the IKED process hanging, which interrupts VPN negotiations. A weaker indicator is the IKED process crashing and generating a fault report, though this can happen for other reasons. If any evidence of compromise is found, it is crucial to update the OS and immediately rotate all secrets stored locally on the device.
For administrators unable to patch immediately, a temporary workaround is available. If a Firebox is configured solely with Branch Office VPN tunnels to static gateway peers, following WatchGuard’s specific recommendations for Secure Access to Branch Office VPNs that use IPSec and IKEv2 can provide a stopgap measure. However, applying the official security update remains the only definitive solution to close this dangerous vulnerability.
(Source: HelpNet Security)
