Critical RCE Flaw Impacts Over 115,000 Watchguard Firewalls 2025

Over 115,000 WatchGuard Firebox devices exposed online remain unpatched against a critical remote code execution (RCE) vulnerability actively exploited in attacks.

The security flaw, tracked as CVE-2025-14733, affects Firebox firewalls running Fireware OS 11.x and later (including 11.12.4_Update1), 12.x or later (including 12.11.5), and 2025.1 up to and including 2025.1.3.

Successful exploitation enables unauthenticated attackers to execute arbitrary code remotely on vulnerable devices, following low-complexity attacks that don't require user interaction.

As WatchGuard explained in a Thursday advisory, when it released CVE-2025-14733 security updates and tagged it as exploited in the wild, unpatched Firebox firewalls are only vulnerable to attacks if configured for IKEv2 VPN. It also warned that even if vulnerable configurations are removed, the firewall may still be at risk if a Branch Office VPN (BOVPN) to a static gateway peer is still configured.

"WatchGuard Fireware OS iked process contains an out of bounds write vulnerability in the OS iked process," an NVD advisory explains. "This vulnerability may allow a remote unauthenticated attacker to execute arbitrary code and affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer."

WatchGuard has shared indicators of compromise to help customers identify compromised Firebox appliances on their network, advising those who find signs of malicious activity to rotate all locally stored secrets on vulnerable firewalls. It also provided a temporary workaround for network defenders who can't immediately patch vulnerable devices, requiring them to disable dynamic peer BOVPNs, add new firewall policies, and disable the default system policies that handle VPN traffic.

On Saturday, the Internet security watchdog group Shadowserver found over 124,658 unpatched Firebox instances exposed online, with 117,490 still exposed on Sunday.

​One day after WatchGuard released patches, CISA added CVE-2025-14733 to its Known Exploited Vulnerabilities (KEV) Catalog.

The U.S. cybersecurity agency also ordered Federal Civilian Executive Branch (FCEB) agencies (executive branch non-military agencies, such as the Department of Energy, the Department of the Treasury, and the Department of Homeland Security) to patch Firebox firewalls within a week, by December 26th, as mandated by the Binding Operational Directive (BOD) 22-01.

"This type of vulnerability is a

Source: BleepingComputer