WatchGuard has released security updates to fix a critical vulnerability in Fireware OS that is actively exploited in real-world attacks.

The issue, tracked as CVE-2025-14733 with a CVSS score of 9.3, allows a remote unauthenticated attacker to execute arbitrary code on vulnerable devices.

What Is the Impact?

The vulnerability affects the iked process and impacts:

• Mobile User VPN using IKEv2
• Branch Office VPN (BOVPN) using IKEv2 with dynamic gateways

Even if old VPN configurations were removed, devices may remain vulnerable if a static gateway BOVPN is still configured.

Affected Fireware OS Versions

The following versions are impacted:

• Fireware OS 2025.1 → fixed in 2025.1.4
• Fireware OS 12.x → fixed in 12.11.6
• Fireware OS 12.5.x (T15 & T35) → fixed in 12.5.15
• Fireware OS 12.3.1 (FIPS) → fixed in Update4
• Fireware OS 11.x → End-of-Life

Signs of Compromise

WatchGuard shared indicators that may suggest exploitation:

• IKEv2 logs showing certificate chains longer than 8
• Abnormally large CERT payloads (over 2000 bytes)
• VPN connections suddenly dropping
• The iked process crashing or hanging

Temporary Mitigation Steps

If immediate patching is not possible, administrators should:

• Disable dynamic peer BOVPNs
• Use static IP addresses for VPN peers
• Create firewall aliases for allowed VPN IPs
• Disable default VPN firewall policies

Update Is Strongly Recommended

CISA has added CVE-2025-14733 to its Known Exploited Vulnerabilities (KEV) catalog.
Affected organizations are required to apply patches by December 26, 2025.

WatchGuard reports that over 117,000 devices remain exposed online.

Bottom line:
If you use WatchGuard Firebox, update Fireware OS immediately to stay protected.

Source: https://thehackernews.com/2025/12/watchguard-warns-of-active-exploitation.html