WatchGuard has issued a security alert and released patches to address a critical vulnerability in its Fireware operating system that the company has confirmed has been actively exploited in real-world attacks. The vulnerability, identified as CVE-2025-14733, affects IKEv2 VPN configurations and has a CVSS score of 9.3 (Critical), allowing remote code execution by unauthenticated attackers.
Vulnerability Details (CVE-2025-14733)
The security flaw is a case of out-of-bounds write that resides in the Fireware OS iked process. This vulnerability could be exploited by a remote attacker without requiring authentication, allowing them to execute arbitrary code on the system.
Configurations affected:
- Mobile user VPN with IKEv2.
- Branch Office VPN (BOVPN) with IKEv2 configured with a dynamic gateway peer.
WatchGuard warns that even if these settings were previously removed, the device could still be vulnerable if it has a branch office VPN configured to a static gateway peer.
Affected Fireware OS Versions and Available Patches
It is critical that network administrators apply updates as soon as possible to mitigate the risk of exploitation. The affected versions and corresponding fixes are:
- Fireware OS 2025.1: Patched in version 2025.1.4.
- Fireware OS 12.x: Patched in version 12.11.6.
- Fireware OS 12.5.x (Models T15 and T35): Patched in version 12.5.15.
- Fireware OS 12.3.1 (FIPS Certified Version): Patched in version 12.3.1_Update4 (B728352).
- Fireware OS 11.x (11.10.2 through 11.12.4_Update1): These versions have reached End-of-Life and will not receive patches. Updating to a supported version is highly recommended.
Active Exploitation and Indicators of Compromise (IoCs)
WatchGuard has confirmed that it has observed active attempts to exploit this vulnerability by threat actors. The company has shared Indicators of Compromise (IoCs) so device owners can check if their instances have been compromised:
- Log Message: The presence of the message “Received peer certificate chain is longer than 8. Reject this certificate chain” in the Firebox logs, indicating that the device received an IKE2 Auth payload with more than 8 certificates.
- Payload size: An IKE_AUTH request log message with an abnormally large CERT payload size (greater than 2000 bytes).
- Process failure: During a successful exploit attempt, the
ikedprocess will hang, disrupting VPN connections. - Bug Report: After a failed or successful exploit attempt, the
ikedprocess will crash and generate a crash report on the Firebox.
It is worth noting that one of the IP addresses reported in the attacks (199.247.7[.]82) was also flagged by Arctic Wolf for being linked to the exploitation of recent vulnerabilities in Fortinet products (CVE-2025-59718 and CVE-2025-59719).
Temporary Mitigation
For devices with vulnerable branch office VPN (BOVPN) configurations that cannot update immediately, WatchGuard recommends temporary mitigation. Administrators must:
- Disable BOVPNs with dynamic pairing.
- Create an alias that includes the static IP addresses of the remote BOVPN peers.
- Add new firewall policies that allow access from the alias.
- Disable built-in default policies that manage VPN traffic.
Conclusions and References
The identification and exploitation of CVE-2025-14733 adds to a recent series of critical vulnerabilities in Fireware OS. A little over a month ago, the US Cybersecurity and Infrastructure Agency (CISA) added another critical WatchGuard vulnerability (CVE-2025-9242) to its catalog of known exploited vulnerabilities (KEV) due to reports of active exploitation.
Users are urged to apply WatchGuard patch updates as soon as possible to protect against these threats.
References
- WatchGuard Advisory on CVE-2025-14733 (The actual link to the original source is not available, but it is assumed that an official advisory exists.)
- CVE-2025-14733 - Out-of-bounds write vulnerability in Fireware OS iked.
- CVE-2025-9242 - Previous Fireware OS vulnerability added to CISA’s KEV catalog.
- CVE-2025-59718 and CVE-2025-59719 - Fortinet vulnerabilities linked to the same threat actor.