Summary

WatchGuard has released security updates to remediate a critical vulnerability in Fireware OS that is being actively exploited in the wild. The flaw, tracked as CVE-2025-14733 with a CVSS score of 9.3, is an out-of-bounds write vulnerability in the iked (IKE daemon) process. Successful exploitation allows a remote, unauthenticated attacker to execute arbitrary code, potentially leading to full compromise of affected Firebox devices.

The vulnerability affects Fireboxes using IKEv2-based VPN configurations, particularly those involving dynamic gateway peers. WatchGuard has confirmed real-world exploitation attempts and released fixed versions across supported Fireware OS branches. Immediate patching or mitigation is strongly recommended.

Affected Systems and/or Applications

The vulnerability impacts WatchGuard Firebox appliances running Fireware OS under the following conditions:

Affected VPN Configurations

• Mobile User VPN with IKEv2
• Branch Office VPN (BOVPN) using IKEv2 with a dynamic gateway peer
• Devices that previously used IKEv2 dynamic gateways may remain vulnerable even if those configurations were later deleted

Affected Fireware OS Versions

• Fireware OS 2025.1 – Fixed in 2025.1.4
• Fireware OS 12.x – Fixed in 12.11.6
• Fireware OS 12.5.x (T15 & T35 models) – Fixed in 12.5.15
• Fireware OS 12.3.1 (FIPS-certified) – Fixed in 12.3.1_Update4 (B728352)
• Fireware OS 11.x (11.10.2 to 11.12.4_Update1) – End-of-Life (no fix available)

Technical Details

CVE-2025-14733 is a critical vulnerability in WatchGuard Fireware OS that affects the iked process, which is responsible for handling IKEv2 VPN connections. The flaw is an out-of-bounds write that can be triggered by a specially crafted IKEv2 message, allowing a remote, unauthenticated attacker to execute arbitrary code on the affected device. This vulnerability primarily impacts Fireboxes configured with mobile user VPNs using IKEv2 or branch office VPNs (BOVPNs) using IKEv2 with a dynamic gateway peer. Devices that previously used dynamic peers may still remain vulnerable even if those configurations were removed, provided a branch office VPN with a static gateway peer is still configured.

WatchGuard has observed active exploitation attempts originating from multiple IP addresses, including:

• 45.95.19[.]50
• 51.15.17[.]89
• 172.93.107[.]67
• 199.247.7[.]82

Attackers exploit the flaw by sending malformed IKEv2 messages, which can cause the iked process to hang or crash, interrupting VPN connections and generating fault reports.

Mitigation

The primary and most effective way to protect Firebox devices from CVE-2025-14733 is to upgrade Fireware OS to the latest fixed version appropriate for the device model and OS branch. WatchGuard has released patches for all supported versions, and applying these updates will fully remediate the vulnerability and prevent exploitation. For devices running end-of-life versions, replacement or upgrade to a supported OS is strongly recommended, as no security fixes are available.

For organizations that cannot immediately apply the updates, WatchGuard has provided a temporary

mitigation specifically for Branch Office VPN (BOVPN) configurations using dynamic peers. Administrators should:

• Disable all dynamic peer BOVPNs
• Create an alias that includes the static IP addresses of all remote BOVPN peers
• Configure new firewall policies to explicitly allow traffic from this alias
• Disable the default built-in policies that automatically handle VPN traffic

Administrators should also monitor Fireboxes for the following indicators of compromise (IoCs):

• Log message stating: “Received peer certificate chain is longer than 8. Reject this certificate chain” when an IKEv2 Auth payload contains more than eight certificates
• IKE_AUTH request log messages with an unusually large CERT payload size, greater than 2000 bytes
• Hangs of the iked process, causing VPN connection interruptions
• Crashes of the iked process and generation of a fault report after a failed or successful exploit

Given the critical nature of this vulnerability and evidence of real-world attacks, timely patching or mitigation is essential. Administrators are strongly encouraged to implement these updates and monitoring measures immediately to reduce the risk of compromise.

What the Cyber Fusion Center is Doing

The CFC is actively monitoring the situation and will update advisory accordingly. Clients subscribed to our vulnerability scan services will receive relevant results if critical vulnerabilities are found within the scope of the scans as soon as a relevant plugin is made available by the scan provider.

Tenable ID:

• 279436 - WatchGuard Firebox OS 11.x / 12.x < 12.3.1_Update4 12.4.x < 12.5.15 / 12.6.x < 12.11.6 / 2025.x < 2025.1.4 Out of Bounds Write (CVE-2025-14733)

Qualys ID:

• As of now, Qualys does not publish an official plugin

References

• https://thehackernews.com/2025/12/watchguard-warns-of-active-exploitation.html
• https://www.watchguard.com/wgrd-blog/watchguard-fireware-versions-202514-12116-and-12515-available-now
• https://www.tenable.com/cve/CVE-2025-14733/plugins

‍

‍

‍

‍

‍