Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to intelligence
actively-exploited-vulnerabilityperimeter-device-exposurewidely-deployed-product-advisorydetection-content-update

WatchGuard Firebox Zero-Day Exploited for Remote Code Execution

Updated 2d agoFirst seen Dec 19, 202519 sources

A critical zero-day vulnerability, identified as CVE-2025-14733, has been discovered in WatchGuard Firebox firewalls, allowing remote unauthenticated attackers to execute arbitrary code. The flaw, rated with a CVSS score of 9.3, resides in the iked process responsible for handling IKEv2 VPN connections, specifically affecting both Mobile User VPN and Branch Office VPN configurations. Attackers can exploit this out-of-bounds write vulnerability by sending specially crafted requests, potentially leading to full device compromise and firewall hijacking.

WatchGuard has confirmed active exploitation of this vulnerability in the wild, with threat actors targeting exposed devices. Indicators of compromise include suspicious IP addresses, unusually large certificate payloads in IKE_AUTH requests, long certificate chains, and unexpected crashes of the iked process. Administrators are urged to apply the latest security updates immediately and review their logs for signs of compromise. The vulnerability affects Fireware OS versions 11.10.2 through 11.12.4_Update1, 12.0 through 12.11.5, and 2025.1 through 2025.1.3.

Share:
WatchGuard Firebox Zero-Day Exploited for Remote Code Execution
Stay ahead

Get ahead of threats like this

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.

EVENT TIMELINE

How this story unfolded

7 events from the most recent confirmed update back to the earliest known activity.

7 EVENTS
Dec 22, 20256mo ago

JPCERT/CC issues warning on actively exploited WatchGuard flaw

On December 22, 2025, JPCERT/CC published an alert warning that CVE-2025-14733 was under active exploitation and could affect widely used Firebox devices in Japan. The notice urged immediate patching, use of interim mitigations, and review of compromise indicators.

Shadowserver reports more than 115,000 exposed vulnerable Fireboxes

By December 22, 2025, reporting based on Shadowserver scans indicated that over 115,000 internet-facing WatchGuard Firebox devices remained vulnerable and unpatched. The exposed population was concentrated in countries including the United States, Germany, and Italy.

Dec 20, 20256mo ago

CISA adds CVE-2025-14733 to the KEV catalog

On December 20, 2025, CISA added CVE-2025-14733 to its Known Exploited Vulnerabilities catalog, formally recognizing active exploitation. The agency required U.S. federal civilian agencies to remediate the flaw by December 26, 2025.

Dec 19, 20256mo ago

Cyber Centre Canada highlights WatchGuard advisory

Canada's Cyber Centre issued alerting around WatchGuard's December 18 advisory, emphasizing the severity of the Fireware OS vulnerability and the need for immediate remediation. The notice pointed users to patched versions and warned of risk to unpatched Firebox devices.

Dec 18, 20257mo ago

WatchGuard confirms active exploitation and publishes detection guidance

At disclosure, WatchGuard said CVE-2025-14733 was being actively exploited in the wild. It released indicators of compromise, suspicious IP addresses, mitigation steps, and advised customers to rotate stored secrets if compromise was suspected.

WatchGuard discloses CVE-2025-14733 and releases patches

On December 18, 2025, WatchGuard published a security advisory for CVE-2025-14733 and released fixes for supported Fireware OS versions. The company described the issue as a critical out-of-bounds write in iked and urged customers to update immediately.

Dec 15, 20257mo ago

WatchGuard identifies CVE-2025-14733 during internal investigation

WatchGuard identified the critical out-of-bounds write vulnerability CVE-2025-14733 in the Fireware OS iked process during an internal investigation. The flaw affects IKEv2-based Mobile User VPN and Branch Office VPN configurations and can allow remote unauthenticated code execution.

LINKED ENTITIES

Related entities

Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.

19 LINKEDOpen in app
Threat actors
1 linked
Affected products
4 linked
Fireware OsFireboxFortigateSma1000
Organizations
10 linked
WatchGuard TechnologiesArctic WolfCISADark ReadingShadowServer FoundationFortinetThe Cyber CentreSandwormWatchTowrSonicwall
The operational view lives in Mallory

See the full picture, correlated to your attack surface.

This page covers what’s public. Mallory adds the parts that aren’t — which of your assets are affected, which threat actors are using it right now, which detections to deploy, and what to do next.
Exposure mapping

Map indicators from this story to your assets and identify affected systems in minutes.

Threat actor evidence

Every observed campaign, victim, and pivot linked to actors named in this story.

Associated malware

Malware, exploits, and IOCs connected to the activity described here.

Detection signatures

YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.

Scheduled alerts

Get matching new stories delivered to your team as they break — not the next morning.

AI threads

Ask questions about this story and take action on the answers.