WatchGuard Firebox Zero-Day Exploited for Remote Code Execution
A critical zero-day vulnerability, identified as CVE-2025-14733, has been discovered in WatchGuard Firebox firewalls, allowing remote unauthenticated attackers to execute arbitrary code. The flaw, rated with a CVSS score of 9.3, resides in the iked process responsible for handling IKEv2 VPN connections, specifically affecting both Mobile User VPN and Branch Office VPN configurations. Attackers can exploit this out-of-bounds write vulnerability by sending specially crafted requests, potentially leading to full device compromise and firewall hijacking.
WatchGuard has confirmed active exploitation of this vulnerability in the wild, with threat actors targeting exposed devices. Indicators of compromise include suspicious IP addresses, unusually large certificate payloads in IKE_AUTH requests, long certificate chains, and unexpected crashes of the iked process. Administrators are urged to apply the latest security updates immediately and review their logs for signs of compromise. The vulnerability affects Fireware OS versions 11.10.2 through 11.12.4_Update1, 12.0 through 12.11.5, and 2025.1 through 2025.1.3.

Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
JPCERT/CC issues warning on actively exploited WatchGuard flaw
On December 22, 2025, JPCERT/CC published an alert warning that CVE-2025-14733 was under active exploitation and could affect widely used Firebox devices in Japan. The notice urged immediate patching, use of interim mitigations, and review of compromise indicators.
Shadowserver reports more than 115,000 exposed vulnerable Fireboxes
By December 22, 2025, reporting based on Shadowserver scans indicated that over 115,000 internet-facing WatchGuard Firebox devices remained vulnerable and unpatched. The exposed population was concentrated in countries including the United States, Germany, and Italy.
CISA adds CVE-2025-14733 to the KEV catalog
On December 20, 2025, CISA added CVE-2025-14733 to its Known Exploited Vulnerabilities catalog, formally recognizing active exploitation. The agency required U.S. federal civilian agencies to remediate the flaw by December 26, 2025.
Cyber Centre Canada highlights WatchGuard advisory
Canada's Cyber Centre issued alerting around WatchGuard's December 18 advisory, emphasizing the severity of the Fireware OS vulnerability and the need for immediate remediation. The notice pointed users to patched versions and warned of risk to unpatched Firebox devices.
WatchGuard confirms active exploitation and publishes detection guidance
At disclosure, WatchGuard said CVE-2025-14733 was being actively exploited in the wild. It released indicators of compromise, suspicious IP addresses, mitigation steps, and advised customers to rotate stored secrets if compromise was suspected.
WatchGuard discloses CVE-2025-14733 and releases patches
On December 18, 2025, WatchGuard published a security advisory for CVE-2025-14733 and released fixes for supported Fireware OS versions. The company described the issue as a critical out-of-bounds write in iked and urged customers to update immediately.
WatchGuard identifies CVE-2025-14733 during internal investigation
WatchGuard identified the critical out-of-bounds write vulnerability CVE-2025-14733 in the Fireware OS iked process during an internal investigation. The flaw affects IKEv2-based Mobile User VPN and Branch Office VPN configurations and can allow remote unauthenticated code execution.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
19 references tracked. Mallory keeps watching after this page renders.
A Vulnerability in WatchGuard Fireware OS Could Allow for Arbitrary Code Execution.
cisecurity.org
Open sourceCVE-2025-14733: WatchGuard Firebox RCE Vulnerability
socradar.io
Open source125,000 IPs WatchGuard Firebox Devices Exposed to Internet Vulnerable to 0-day RCE Attacks
cybersecuritynews.com
Open sourceWatchGuard Fixes Firewall Zero-Day Being Actively Exploited
bankinfosecurity.com
Open sourceWatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability
thehackernews.com
Open sourceWatchGuard security advisory (AV25-850)
cyber.gc.ca
Open sourceWatchGuard fixes ‘critical’ zero-day allowing firewall takeover
csoonline.com
Open sourceNew critical WatchGuard Firebox firewall flaw exploited in attacks
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.


