WatchGuard has warned customers to patch a critical, actively exploited remote code execution (RCE) vulnerability in its Firebox firewalls.
Tracked as CVE-2025-14733, this security flaw affects firewalls running Fireware OS 11.x and later (including 11.12.4_Update1), 12.x or later (including 12.11.5), and 2025.1 up to and including 2025.1.3.
The vulnerability is due to an out-of-bounds write weakness that enables unauthenticated attackers to execute malicious code remotely on unpatched devices, following successful exploitation in low-complexity attacks that don’t require user interaction.
While unpatched Firebox firewalls are only vulnerable to attacks if configured to use IKEv2 VPN, WatchGuard noted they might still be compromised, even if the vulnerable configurations have been deleted, if a branch office VPN to a static gateway peer is still configured.
“If the Firebox was previously configured with the mobile user VPN with IKEv2 or a branch office VPN using IKEv2 to a dynamic gateway peer, and both of those configurations have since been deleted, that Firebox may still be vulnerable if a branch office VPN to a static gateway peer is still configured,” WatchGuard explained in a Thursday advisory.
“WatchGuard has observed threat actors actively attempting to exploit this vulnerability in the wild,” the company warned.
The company also provided a temporary workaround for organizations that can’t immediately patch devices with vulnerable Branch Office VPN (BOVPN) configurations, requiring admins to disable dynamic peer BOVPNs, add new firewall policies, and disable the default system policies that handle VPN traffic.
| Product Branch | Vulnerable firewall models |
|---|---|
| Fireware OS 12.5.x | T15, T35 |
| Fireware OS 2025.1.x | T115-W, T125, T125-W, T145, T145-W, T185 |
| Fireware OS 12.x | T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV |
WatchGuard shared indicators of compromise to help customers check whether their Firebox devices have been compromised, and advised those who find any signs of malicious activity to rotate all locally stored secrets on vulnerable appliances.
In September, WatchGuard patched another (almost identical) remote code execution vulnerability impacting its Firebox firewalls (CVE-2025-9242). One month later, the Internet watchdog Shadowserver found over 75,000 Firebox firewalls vulnerable to CVE-2025-9242 attacks, most of them in North America and Europe.
After three weeks, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) tagged the vulnerability as actively exploited in the wild and ordered federal agencies to secure their WatchGuard Firebox firewalls from ongoing attacks.
Two years ago, CISA ordered U.S. government agencies to patch one more actively exploited WatchGuard flaw (CVE-2022-23176) impacting Firebox and XTM firewall appliances.
WatchGuard partners with more than 17,000 service providers and security resellers to protect the networks of over 250,000 small and mid-sized companies worldwide.
Broken IAM isn’t just an IT problem – the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what “good” IAM looks like, and a simple checklist for building a scalable strategy.