The Shadowserver Foundation identified approximately 125,000 WatchGuard Firebox firewall devices worldwide at risk due to a critical vulnerability actively exploited.
The flaw, tracked as CVE-2025-14733, enables unauthenticated remote attackers to execute arbitrary code on unpatched devices with minimal effort.
The vulnerability stems from an out-of-bounds write flaw in the WatchGuard Fireware OS IKEv2 VPN key exchange process.
With a CVSS score of 9.8, this critical flaw requires no user interaction. It can be exploited over the network without authentication.
| CVE ID | Vulnerability Type | CVSS Score | Affected Component | Attack Vector |
|---|---|---|---|---|
| CVE-2025-14733 | Out-of-Bounds Write | 9.8 | WatchGuard Fireware OS iked process |
Network (Unauthenticated) |
Massive Exposure Discovered
WatchGuard confirmed that threat actors are actively attempting exploitation in the wild, making this a genuine zero-day threat for organizations that have not yet patched.
The vulnerability affects explicitly mobile user VPN configurations with IKEv2 and branch office VPN setups using IKEv2 with dynamic gateway peers.
Hazardous is a “zombie configuration” scenario: even if administrators deleted vulnerable VPN settings. Firewalls may remain compromised if branch-office VPN tunnels to static-gateway peers remain in place.
The vulnerability impacts multiple Fireware OS versions.
| Fireware Version | Status | Required Action |
|---|---|---|
| 2025.1 (≤ 2025.1.3) | Vulnerable | Upgrade to 2025.1.4 |
| 12.x (≤ 12.11.5) | Vulnerable | Upgrade to 12.11.6 |
| 12.5.x | Vulnerable | Upgrade to 12.5.15 |
| 12.3.1 (FIPS) | Vulnerable | Update to 12.3.1 Update 4 |
| 11.x | End of Life | Full upgrade required |
The scale of exposure is alarming. Shadowserver’s scan identified vulnerable devices worldwide, with concentrations in North America and Europe.
This mirrors a previous incident in which Shadowserver identified more than 75,000 unpatched Firebox devices vulnerable to CVE-2025-9242.
WatchGuard provided specific indicators of compromise, including four IP addresses directly linked to active exploitation attempts.
Organizations should review firewall logs for certificate chain anomalies and abnormally large IKE_AUTH payloads exceeding 2,000 bytes.
Organizations must prioritize updating all Firebox devices immediately. Security teams should monitor for suspicious VPN activities and review audit logs for indicators of attack.
Rotate all locally stored credentials on potentially compromised appliances. Given active exploitation, delays substantially increase breach risk.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
