WatchGuard 0-day Vulnerability Exploited in the Wild to Hijack Firewalls

An urgent security update has been released to fix a critical zero-day vulnerability in WatchGuard Firebox firewalls. With warnings that hackers are already actively exploiting the flaw in the wild to take control of affected devices.

The vulnerability, tracked as CVE-2025-14733, carries a critical severity score of 9.3 out of 10. It allows a remote attacker to execute malicious code on the firewall without needing a username or password.

The issue is described as an “Out-of-bounds Write” vulnerability located in the ike process, which handles VPN connections on the device.

Specifically, the flaw affects the Mobile User VPN and Branch Office VPN (when using IKEv2). It occurs when the system tries to process a connection request.

If an attacker sends a specially crafted request, they can corrupt the system’s memory and hijack the firewall.

WatchGuard noted that even after deleting a vulnerable VPN configuration, your device may remain at risk if a Branch Office VPN with a static gateway remains active.

Active 0-Day Exploitation Detected

WatchGuard confirmed they have “observed threat actors actively attempting to exploit this vulnerability.” To help administrators defend their networks, they released specific indicators of compromise (IoCs).

Suspicious IP Addresses:

Administrators should check their logs for:

WatchGuard has released software updates to fix the issue. Admins should upgrade to the following versions immediately:

If you find evidence that your device was targeted, simply installing the patch is not enough. WatchGuard recommends rotating all shared secrets (passwords and keys) stored on the device, as attackers may have stolen them.

AI-Powered ISO 27001, SOC 2, NIST, NIS 2, and GDPR Compliance Checklist => Start for Free