WatchGuard Firebox Zero-Day CVE-2025-14733 Actively Exploited, 125K Devices Exposed

WatchGuard has disclosed and patched a critical zero-day vulnerability in its Firebox firewalls that attackers are already exploiting in the wild. The flaw affects over 125,000 internet-exposed devices, with nearly 40,000 located in the United States alone. Organizations running affected firmware should treat this as an emergency patching situation.

TL;DR

• What happened: Critical RCE vulnerability CVE-2025-14733 in WatchGuard Firebox VPN components is being actively exploited
• Who's affected: Organizations using Firebox devices with mobile VPN (IKEv2) or branch office VPN configurations
• Severity: Critical (CVSS 9.3) - Unauthenticated remote code execution
• Action required: Immediately update to Fireware OS 2025.1.4, 12.11.6, or 12.5.15

What is CVE-2025-14733?

CVE-2025-14733 is an out-of-bounds write vulnerability affecting the iked process in WatchGuard Fireware OS. The iked process handles IKE (Internet Key Exchange) negotiations for VPN connections. A remote, unauthenticated attacker can trigger the vulnerability to execute arbitrary code on the firewall.

The vulnerability affects Fireware OS versions:

• 11.10.2 through 11.12.4_Update1
• 12.0 through 12.11.5
• 2025.1 through 2025.1.3

Both mobile user VPN with IKEv2 and branch office VPN using IKEv2 with dynamic gateway peers are vulnerable. Organizations using these configurations face the highest risk.

How Are Attackers Exploiting This Flaw?

WatchGuard disclosed that threat actors are actively attempting exploitation as part of a broader campaign targeting edge networking equipment from multiple vendors. The company identified specific IP addresses associated with attack activity and shared them as indicators of compromise.

During a successful exploit, the iked process hangs, interrupting VPN tunnel negotiations and re-keying operations. Existing tunnels may continue passing traffic, but the VPN disruption serves as a strong indicator that an attack is underway.

One of the flagged attacker IP addresses—199.247.7.82—was also linked to recent exploitation of CVE-2025-59718 and CVE-2025-59719, the Fortinet FortiGate authentication bypass vulnerabilities patched earlier this month. This suggests a coordinated campaign targeting multiple firewall vendors.

How Many Devices Are Vulnerable?

The Shadowserver Foundation detected approximately 125,000 IP addresses associated with WatchGuard firewalls affected by CVE-2025-14733. The geographic breakdown shows significant exposure:

• United States: ~40,000 devices
• Remaining 85,000+ distributed globally

According to threat intelligence firm onyphe.io, no scanned devices had applied the patch as of December 19, just one day after WatchGuard released the fix. The patch adoption rate has likely improved since then, but most organizations probably remain vulnerable.

Recommended Mitigations

1. Apply the patch immediately - Update to Fireware OS 2025.1.4, 12.11.6, 12.5.15, or 12.3.1_Update4 depending on your firmware train
2. Check for compromise indicators - Monitor for outbound connections to the IP addresses WatchGuard published in its advisory
3. Watch for VPN disruptions - Unexplained iked process hangs or VPN negotiation failures may indicate exploitation attempts
4. Review network logs - Look for inbound connections from the threat actor IPs documented in the advisory
5. Consider temporary mitigation - If patching isn't immediately possible, restrict VPN access to known IP ranges

What About Older Firebox Devices?

WatchGuard stated that Fireware OS 11.x has reached end-of-life and will not receive a security patch. Organizations still running 11.x firmware face a difficult choice: upgrade to a supported version or accept the risk of running vulnerable edge infrastructure.

Given that attackers are actively exploiting this vulnerability as part of a multi-vendor campaign, continuing to run EOL firmware isn't a viable long-term strategy.

Why This Matters

Edge security devices like firewalls and VPN appliances represent some of the most valuable targets for attackers. They sit at network perimeters, handle authentication, and often have visibility into all traffic entering or leaving an organization. A compromised firewall can serve as a beachhead for deeper network access.

The coordinated campaign targeting WatchGuard, Fortinet, Cisco, and SonicWall devices over the past few weeks demonstrates that threat actors recognize this value. Organizations should expect continued attacks against edge infrastructure and prioritize keeping these devices patched.

CISA added CVE-2025-14733 to its Known Exploited Vulnerabilities catalog on December 19, mandating that federal agencies apply patches by December 26, 2025.

Frequently Asked Questions

How do I know if my WatchGuard Firebox is vulnerable?

Check your Fireware OS version against the affected ranges. If you're running any version from 11.10.2 through 2025.1.3, you're vulnerable. The vulnerability specifically affects devices configured with mobile VPN (IKEv2) or branch office VPN using IKEv2 with dynamic gateway peers.

What should I do first?

Apply the security update immediately. If you can't patch right away, review your VPN configuration and consider temporarily restricting access to known administrator IP addresses while you prepare for the update.

Are there signs my device has already been compromised?

Look for unexplained iked process hangs causing VPN disruptions, and check your logs for connections to or from the indicator IP addresses WatchGuard published. The advisory includes specific IPs that security teams should add to their monitoring systems.