More than 115,000 internet-facing WatchGuard Firebox firewalls may be vulnerable to compromise via CVE-2025-14733, a remote code execution vulnerability actively targeted by attackers, Shadowserver’s latest scanning reveals.
About CVE-2025-14733
WatchGuard Firebox firewalls, which also incorporate VPN and unified threat management capabilities, are used by organizations around the world. The appliances run the Fireware OS, a network security operating system built on a hardened Linux-based kernel.
WatchGuard disclosed CVE-2025-14733 on December 18, when it also revealed “threat actors are attempting to exploit this vulnerability as part of a wider attack campaign against edge networking equipment and exposed infrastructure from multiple vendors.”
CVE-2025-14733 is an Out-of-bounds Write vulnerability in the Fireware OS’ IKED process, i.e., the IKE daemon that negotiates, authenticates, and manages VPN tunnels.
The flaw can be triggered by remote, unauthenticated attackers and may allow them to execute arbitrary code, with no user action required.
CVE-2025-14733 affects Fireware OS v2025.1, v12.x, v12.5.x (on T15 & T35 models), v12.3.1 (FIPS-certified release), and v11.x.
“This vulnerability affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer. If the Firebox was previously configured with the mobile user VPN with IKEv2 or a branch office VPN using IKEv2 to a dynamic gateway peer, and both of those configurations have since been deleted, that Firebox may still be vulnerable if a branch office VPN to a static gateway peer is still configured,” WatchGuard warned.
CVE-2025-14733 strongly resembles CVE-2025-9242, another Firewire OS pre-auth RCE flaw that’s been exploited by attackers this year.
What to do?
The US Cybersecurity and Infrastructure Security Agency added CVE-2025-14733 to its Known Exploited Vulnerabilities catalog and has ordered US federal civilian agencies to remediate it by December 26.
Users have been urged to upgrade to a Fireware OS version – v2025.1.4, v12.11.6, v12.5.15 or 12.3.1_Update4 (B728352) – and to check for indicators of compromise.
WatchGuard shared four IP addresses associated with known threat actor activity, as well as log messages that could point to attackers having targeted their device.
“During a successful exploit, the IKED process (responsible for handling IKE negotiations) will hang, interrupting VPN tunnel negotiations and re-keys. This is a strong indicator of attack. Existing tunnels may continue to pass traffic,” the company explained.
“After a failed or successful exploit, the IKED process will crash and generate a fault report on the Firebox. Be aware, there are other situations that could cause the IKED process to crash. This is a weak indicator of attack.”
Customers who find evidence of compromise should update the OS and immediately rotate all secrets locally stored on the device(s).
“If your Firebox is only configured with Branch Office VPN tunnels to static gateway peers and you are not able to immediately upgrade the device to a version of Fireware OS with the vulnerability resolution, you can follow WatchGuard’s recommendations for Secure Access to Branch Office VPNs that Use IPSec and IKEv2 as a temporary workaround,” the company concluded.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!