top of page
perceptive_background_267k.jpg

Critical RCE flaw impacts over 115,000 WatchGuard firewalls

Published:

22 December 2025 at 09:00:55

Alert date:

22 December 2025 at 10:02:33

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Network Infrastructure, Zero-Day Vulnerabilities, Critical Infrastructure

Over 115,000 WatchGuard Firebox firewall devices exposed online remain unpatched against a critical remote code execution vulnerability that is being actively exploited in attacks. The vulnerability affects a significant number of internet-facing devices, creating a substantial security risk for organizations using these firewall appliances. The active exploitation of this flaw makes it a high-priority security concern requiring immediate patching.

Technical details

CVE-2025-14733 is an out of bounds write vulnerability in the WatchGuard Fireware OS iked process that allows remote unauthenticated attackers to execute arbitrary code. The vulnerability affects Firebox firewalls configured for IKEv2 VPN, specifically mobile user VPN with IKEv2 and branch office VPN using IKEv2 when configured with a dynamic gateway peer. Exploitation requires low complexity attacks with no user interaction. Even if vulnerable configurations are removed, firewalls may still be at risk if Branch Office VPN (BOVPN) to a static gateway peer is configured.

Mitigation steps:

Apply security updates immediately as provided by WatchGuard. For those unable to patch immediately: disable dynamic peer BOVPNs, add new firewall policies, and disable default system policies that handle VPN traffic. Rotate all locally stored secrets on vulnerable firewalls if signs of compromise are found. Federal agencies must patch by December 26th per CISA BOD 22-01. Organizations should discontinue use if mitigations are unavailable.

Affected products:

WatchGuard Firebox firewalls running Fireware OS 11.x and later (including 11.12.4_Update1)
WatchGuard Firebox firewalls running Fireware OS 12.x or later (including 12.11.5)
WatchGuard Firebox firewalls running Fireware OS 2025.1 up to and including 2025.1.3
WatchGuard XTM firewall appliances

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2025-14733
https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00027#:~:text=Indicators%20of%20Attack
http://techsearch.watchguard.com/KB?type=Article&SFDCID=kA1Vr000000DMXNKA4&lang=en_US
https://bsky.app/profile/shadowserver.bsky.social/post/3majeq7gru22k
https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=other_range&d1=2025-12-19&d2=2025-12-21&source=isakmp_vulnerable&source=isakmp_vulnerable6&tag=cve-2025-14733%2B&dataset=unique_ips&limit=100&group_by=geo&stacking=stacked&auto_update=on
https://www.cisa.gov/news-events/alerts/2025/12/19/cisa-adds-one-known-exploited-vulnerability-catalog
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2025-14733

Related CVE's:

Related threat actors:

IOC's:

WatchGuard has shared indicators of compromise to help customers identify compromised Firebox appliances on their network

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page