WatchGuard warns that a critical vulnerability in its Firebox devices is facing exploitation as part of a campaign targeting edge devices, according to an advisory from the company.
The flaw, tracked as CVE-2025-14733, involves an out-of-bounds write vulnerability in the Fireware OS internet key exchange daemon process. An unauthenticated attacker can achieve remote code execution.
WatchGuard said it discovered the flaw through an internal process and issued a patch on Thursday.
“Since the fix became available, our partners and end users have been actively patching affected Firebox appliances,” a WatchGuard spokesperson told Cybersecurity Dive. “We continue to strongly encourage timely patching as a core best practice in security hygiene.”
WatchGuard said the threat activity is part of a wider campaign targeting edge devices and internet exposed infrastructure across a wide number of vendors. The company did not specify the other vendors that were being targeted nor did it specifically reference the threat groups that may be linked to the exploitation.
Researchers at Shadowserver on Saturday reported up to 125,000 IPs were considered vulnerable.
The Cybersecurity and Infrastructure Security Agency added the flaw on Friday to its Known Exploited Vulnerabilities catalog.
WatchGuard warned the vulnerability affects the mobile user VPN with IKEv2 or a branch office VPN with IKEv2 when it is configured as a dynamic gateway peer, according to the advisory..
The company said the IKED process will hang during successful exploitation. This will interrupt VPN tunnel negotiations and rekeys, according to WatchGuard.
If users cannot immediately upgrade and the Firebox is only configured using Branch Office VPN tunnels to static gateway peers, then users can follow the company’s instructions for a temporary workaround.