WatchGuard has released fixes to address a critical security flaw in Fireware OS that it said has been exploited in real-world attacks.
Tracked as CVE-2025-14733 (CVSS score: 9.3), the vulnerability has been described as a case of out-of-bounds write affecting the iked process that could allow a remote unauthenticated attacker to execute arbitrary code.
“This vulnerability affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer,” the company said in a Thursday advisory.
“If the Firebox was previously configured with the mobile user VPN with IKEv2 or a branch office VPN using IKEv2 to a dynamic gateway peer, and both of those configurations have since been deleted, that Firebox may still be vulnerable if a branch office VPN to a static gateway peer is still configured.”
The vulnerability impacts the following versions of Fireware OS –
- 2025.1 – Fixed in 2025.1.4
- 12.x – Fixed in 12.11.6
- 12.5.x (T15 & T35 models) – Fixed in 12.5.15
- 12.3.1 (FIPS-certified release) – Fixed in 12.3.1_Update4 (B728352)
- 11.x (11.10.2 up to and including 11.12.4_Update1) – End-of-Life
WatchGuard acknowledged that it has observed threat actors actively attempting to exploit this vulnerability in the wild, with the attacks originating from the following IP addresses –
Interestingly, the IP address “199.247.7[.]82” was also flagged by Arctic Wolf earlier this week as linked to the exploitation of two recently disclosed security vulnerabilities in Fortinet FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager (CVE-2025-59718 and CVE-2025-59719, CVSS scores: 9.8).
The Seattle-based company has also shared multiple indicators of compromise (IoCs) that device owners can use to determine if their own instances have been infected –
- A log message stating “Received peer certificate chain is longer than 8. Reject this certificate chain” when the Firebox receives an IKE2 Auth payload with more than 8 certificates
- An IKE_AUTH request log message with an abnormally large CERT payload size (greater than 2000 bytes)
- During a successful exploit, the iked process will hang, interrupting VPN connections
- After a failed or successful exploit, the IKED process will crash and generate a fault report on the Firebox
The disclosure comes a little over a month after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added another critical WatchGuard Fireware OS flaw (CVE-2025-9242, CVSS score: 9.3) to its Known Exploited Vulnerabilities (KEV) catalog after reports of active exploitation.
It’s currently not known if these two sets of attacks are related. Users are advised to apply the updates as soon as possible to secure against the threat.
As temporary mitigation for devices with vulnerable Branch Office VPN (BOVPN) configurations, the company has urged administrators to disable dynamic peer BOVPNs, create an alias that includes the static IP addresses of remote BOVPN peers, add new firewall policies that allow access from the alias, and disable the default built-in policies that handle VPN traffic.
Update
CISA, on December 19, 2025, added CVE-2025-14733 to its KEV catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by December 26, 2025.
Data from the Shadowserver Foundation shows that there are 117,490 internet-exposed WatchGuard instances vulnerable to the shortcoming. Of these, more than 35,600 instances are located in the U.S., followed by 13,000 in Germany, 11,300 in Italy, 9,000 in the U.K., and 5,800 in Canada.
“Threat actors are attempting to exploit this vulnerability as part of a wider attack campaign against edge networking equipment and exposed infrastructure from multiple vendors,” WatchGuard said.
