WatchGuard fixes ‘critical’ zero-day allowing firewall takeover

WatchGuard has issued an urgent patch alert for its Firebox firewall appliances after discovering a critical-rated vulnerability that is under exploit by threat actors.

Tracked as CVE-2025-14733, with a CVSS score of 9.3, the flaw is an Out-of-bounds Write vulnerability affecting the iked process, a WatchGuard Fireware OS component responsible for the IKEv2 key exchange in IPSec VPNs.

According to the WatchGuard advisory, this weakness could “allow a remote unauthenticated attacker to execute arbitrary code,” taking control of the appliance through remote code execution (RCE) without having to log in.

Because it was under attack before a patch was made available by WatchGuard on December 18, this makes CVE-2025-14733 a bona fide zero-day vulnerability. The first job for admins should therefore be to check Firebox appliances for signs of current or recent compromise.

WatchGuard’s advisory lists four IP addresses associated with exploitation; outbound traffic to them is “a strong indicator of compromise,” while inbound connections from them “could indicate reconnaissance efforts or exploit attempts,” the advisory said. With logging enabled, other strong indicators were an IKE_AUTH request log message with an abnormally large CERT payload greater than 2,000 bytes, or evidence of an iked process hang, the company said.

Affected Fireware OS versions are 2025.1 up to and including 2025.1.3, 12.0 up to and including 12.11.5, and legacy 11.10.2 up to and including 11.12.4_Update1.

The resolved versions are 2025.1.4, 12.11.6, 12.5.15 (T15 & T35 models), and 12.3.1_Update4 (B728352) for the FIPS-certified release. There is no fix for 11.x, which is considered end of life.

Importantly, WatchGuard warned, patching may not be enough: “If the Firebox was previously configured with the mobile user VPN with IKEv2 or a branch office VPN using IKEv2 to a dynamic gateway peer, and both of those configurations have since been deleted, that Firebox may still be vulnerable if a branch office VPN to a static gateway peer is still configured.”

And some admins have even more post-patching tasks to perform, it said, noting, “in addition to installing the latest Fireware OS that contains the fix, administrators that have confirmed threat actor activity on their Firebox appliances must take precautions to rotate all locally stored secrets on vulnerable Firebox appliances.”

Deja vu

In September, WatchGuard patched a similar Firebox vulnerability, CVE-2025-9242, also affecting the iked VPN configuration and given a CVSS score of 9.3. At the time, WatchGuard said there were no reports of active exploitation, but by October, the company had revised this assessment after exploitation attempts were detected.

This is a reminder not to read initial vulnerability assessments for this type of infrastructure too optimistically — exploitation is frequently detected after a flaw has been made public. Firewalls and VPNs are major targets for cybercriminals, and every significant vulnerability in them represents a clear and present cyber security risk.

Unfortunately, the evidence shows that some WatchGuard customers don’t patch vulnerabilities as quickly as they should. In October, a scan by The Shadowserver Foundation found that over 71,000 Firebox appliances had not yet been patched for CVE-2025-9242, including 23,000 in the US. Despite its zero-day status, it’s likely to be a similar story for CVE-2025-14733.

Slow or reluctant patching might also explain why Russian-aligned ‘Sandworm’ hackers were recently discovered to be targeting WatchGuard Firebox and XTM appliances by exploiting CVEs dating back several years.