A critical zero-day vulnerability in WatchGuard Firebox firewalls, tracked as CVE-2025-14733, is actively being exploited in the wild by threat actors to hijack affected devices and execute arbitrary code remotely. This out-of-bounds write flaw in the Fireware OS iked process allows unauthenticated attackers to compromise firewalls via specially crafted IKEv2 VPN connection requests, potentially leading to full device takeover.
Vulnerability Details
• Description: The issue occurs in the IKE daemon handling Mobile User VPN or Branch Office VPN configurations using IKEv2 with dynamic gateway peers. Attackers can trigger memory corruption by sending malformed IKE_AUTH requests, such as those with oversized certificate payloads (e.g., CERT size >2000 bytes) or excessively long certificate chains (>8 entries). Even if vulnerable VPN configs are deleted, the flaw may persist if a static gateway Branch Office VPN remains active.
• CVSS Score: 9.3 (Critical) – Network-accessible, low complexity, no privileges required, high impact on confidentiality, integrity, and availability.
• Impact: Successful exploitation grants remote code execution (RCE), enabling attackers to install backdoors, exfiltrate data, pivot to internal networks, or disrupt operations. Hijacked firewalls could serve as command-and-control nodes or entry points for further attacks.
Affected Products and Versions
This vulnerability impacts WatchGuard Firebox appliances running vulnerable Fireware OS versions:
• Fireware OS 2025.1: Up to 2025.1.3
• Fireware OS 12.x: Up to 12.11.5 (including T20/T25/T40/T45/T55/T70/T80/T85, M270/M290/M370/M390/M470/M570/M590/M670/M690, M440/M4600/M4800/M5600/M5800, Firebox Cloud, Firebox NV5, FireboxV)
• Fireware OS 12.5.x: Up to 12.5.14 (T15/T35 models only)
• Fireware OS 11.x: All versions (End-of-Life; no patch available)
Fireware OS 11.10.2 through 11.12.4_Update1 is also affected but unsupported.
Exploitation in the Wild
WatchGuard has confirmed active exploitation attempts, with threat actors scanning and targeting exposed Firebox devices. Observed indicators of compromise (IoCs) include:
• Suspicious IP Addresses (potential attacker sources): 45.95.19.50, 51.15.17.89, 172.93.107.67, 199.247.7.82
• Log Indicators: Unusual IKE_AUTH requests with oversized CERT payloads; errors related to certificate chain length; iked process crashes, hangs, or restarts; unexpected VPN negotiation failures
No specific attribution to threat groups has been publicly disclosed, but the attacks appear opportunistic, focusing on internet-exposed firewalls. CISA has not yet added this to its Known Exploited Vulnerabilities (KEV) catalog as of December 20, 2025, though a similar prior IKEv2 flaw (CVE-2025-9242) was added in November.
Recommended Mitigation
WatchGuard urges immediate patching for all affected devices:
• Upgrade to Fireware OS 2025.1.4, 12.11.6, 12.5.15 (for T15/T35), or 12.3.1_Update4 (FIPS-certified).
• Download patches from the WatchGuard support portal and apply via Policy Manager or Web UI.
• Post-Patch Actions: If exploitation is suspected (e.g., via IoCs), rotate all locally stored secrets (pre-shared keys, passwords, certificates) to prevent persistence.
• Workaround (temporary, if patching is delayed): For devices only using Branch Office VPN to static gateways, restrict IKEv2 access per WatchGuard’s secure VPN guidelines (e.g., firewall rules blocking unsolicited IKE traffic). No full workaround exists for Mobile User VPN setups.
• Best Practices: Expose only necessary ports (UDP 500/4500 for IKEv2), monitor logs for anomalies, and segment VPN traffic.
For full technical details, refer to WatchGuard’s security advisory. Organizations should scan their networks for vulnerable Fireboxes using tools like Shodan or internal asset inventories. If you manage WatchGuard devices, prioritize this update to avoid compromise.