WatchGuard has patched a critical remote code execution vulnerability in its Firebox firewalls, tracked as CVE-2025-14733 with a CVSS score of 9.3. They disclosed this vulnerability on December 18, 2025, through their security advisory, urging immediate patching. This vulnerability is an out-of-bounds write issue in the iked process, which handles Internet Key Exchange version 2 (IKEv2) negotiations for IPSec VPNs. Exploitation affects both user types: mobile users VPN with IKEv2, or branch-office VPN using IKEv2 with dynamic gateway peers, where the firewall accepts connections from unknown IPs.
Exploitation does not require any authentication, but the reachability to the VPN interface from the internet. Even after deleting IKEv2 configurations, devices can remain exposed if a static gateway peer remains active, a phenomenon dubbed zombie configurations by analysts. WatchGuard updated its advisory the next day to confirm attacks, providing indicators like IP addresses: 45[.]95.19.50, 51[.]15.17.89, 172[.]93.107.67, 199[.]247.7.82, along with the log entries for oversized CERT payloads or iked crashes.
Affected versions include fireware OS 11.x from 11.10.2 to 11.12.4_Update1, 12.x from 12.0 to 12.11.5, and 2025.1 up to 2025.1.3, impacting models from T15 to high-end M-series like M690 and cloud instances. Admin can upgrade to the patched version, but compromised devices demand secret rotation for IKEv2 keys, admin passwords, and certificates.
Successful exploitation of this vulnerability can cause crashes to the process, but leaves VPN tunnels intact, allowing attackers to drop binaries or move internally without detection. When an exploit attempt either fails or succeeds, the iked service may terminate unexpectedly, producing a fault report on the Firebox. It’s worth noting that IKED crashes can occur for reasons unrelated to exploitation, so this, on its own, should be treated as a weaker indicator of malicious activity.
While the number of exact exploitations remains unknown, the ShadowServer Foundation has identified approximately 110,000 WatchGuard fireboxes, mainly in the USA and Europe. CISA has also added the CVE to its Known Exploited Vulnerabilities catalog shortly after, mandating that federal agencies patch by December 26, 2025.
Observed tactics include IKE_AUTH requests with large CERT payloads (more than 2000 bytes) that trigger buffer overflows. Motives are unclear, but patterns match those of initial access brokers or state actors hunting for persistent footholds; no public exploits are available yet. WatchGuard shared no victim details yet, and the scope of the data exfiltration still remains unknown. Organisations should refer to official advisory and upgrade to fixed Fireware versions. Beyond that, rotate secrets and credentials if you discover any IOCs.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
