WatchGuard has issued critical security fixes for its Fireware OS following the exploitation of a severe vulnerability, tracked as CVE-2025-14733. This out-of-bounds write flaw, affecting the iked process, poses a significant network security risk by allowing remote, unauthenticated attackers to execute arbitrary code. The company confirmed active exploitation in real-world attacks, emphasizing the urgency for users to apply patches.
The vulnerability impacts specific configurations of both mobile user VPN with IKEv2 and branch office VPN using IKEv2 with a dynamic gateway peer. Even if these configurations have been deleted, a Firebox might remain vulnerable if a branch office VPN to a static gateway peer is still in place. The severity of the flaw is underscored by its CVSS score of 9.3, classifying it as critical.
WatchGuard Addresses Critical Fireware OS Vulnerability
WatchGuard has released patches to address CVE-2025-14733, a critical security flaw discovered in its Fireware OS. This vulnerability, described as an out-of-bounds write in the iked process, carries a CVSS score of 9.3 and has reportedly been actively exploited by threat actors. The successful exploitation of this flaw could grant attackers the ability to execute arbitrary code on affected devices, posing a serious network security threat.
The company’s advisory details that the vulnerability specifically affects the IKEv2 protocol when used for mobile user VPNs and branch office VPNs configured with a dynamic gateway peer. Importantly, WatchGuard noted that even if such configurations were previously present and subsequently removed, the vulnerability could persist if a branch office VPN to a static gateway peer remains active. This nuance highlights the importance of thoroughly reviewing all VPN configurations.
Affected Fireware OS Versions and Patching Information
WatchGuard has identified several versions of its Fireware OS that are affected by CVE-2025-14733. These include:
- 2025.1, with fixes available in version 2025.1.4.
- 12.x, with fixes available in version 12.11.6.
- 12.5.x (specifically for T15 & T35 models), with fixes available in version 12.5.15.
- The FIPS-certified release 12.3.1 has a fix in update 12.3.1_Update4 (B728352).
Additionally, WatchGuard has declared versions 11.x (from 11.10.2 up to and including 11.12.4_Update1) as End-of-Life, meaning no further patches will be provided for these older systems.
Active Exploitation and Indicators of Compromise
Significantly, WatchGuard has confirmed observing active attempts by threat actors to exploit this vulnerability in the wild. The attacks have been traced to specific IP addresses, including 199.247.7[.]82. This same IP address was recently linked by Arctic Wolf to the exploitation of two critical vulnerabilities in Fortinet products, suggesting potential overlap in threat actor activity or shared infrastructure.
To help administrators detect potential compromises, WatchGuard has provided several indicators of compromise (IoCs). These include specific log messages such as “Received peer certificate chain is longer than 8. Reject this certificate chain” when the Firebox encounters an IKE2 Auth payload with an excessive number of certificates. Other indicators involve abnormally large CERT payload sizes in IKE_AUTH requests, the iked process hanging and interrupting VPN connections, and the IKED process crashing and generating a fault report after a failed or successful exploit.
Broader Context and Mitigation Strategies
This disclosure follows closely on the heels of another critical WatchGuard Fireware OS vulnerability (CVE-2025-9242) that was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities catalog just over a month ago, due to reports of active exploitation. It remains unclear if these two sets of attacks are related. Users are strongly advised to implement the available updates promptly to safeguard their networks.
For devices with vulnerable Branch Office VPN (BOVPN) configurations, WatchGuard has offered temporary mitigation measures. Administrators are urged to disable dynamic peer BOVPNs, create an alias encompassing the static IP addresses of remote BOVPN peers, establish new firewall policies allowing access from this alias, and disable the default built-in policies designed for VPN traffic management. These steps can help reduce the attack surface while permanent fixes are applied.
The situation underscores the continuous threat landscape that organizations face and the critical importance of timely security patching. Users should monitor WatchGuard’s advisories for any further updates or related threat intelligence. The next expected steps involve the widespread deployment of patches and continued monitoring for any residual or new exploitation attempts targeting Fireware OS.