WatchGuard has issued a critical patch for its Firebox firewall appliances following the discovery of a severe vulnerability that could lead to the complete takeover of the device by threat actors. This flaw, cataloged as CVE-2025-14733, is rated with a CVSS score of 9.3 and is classified as an Out-of-bounds Write vulnerability affecting the iked process, which is central to the IKEv2 key exchange in IPSec VPNs.
The company warns that this vulnerability is being actively targeted in the wild, allowing attackers, without authentication, to execute arbitrary code on the affected appliances. WatchGuard’s advisory indicates that the vulnerability could have been exploited before a patch was released on December 18. This situation designates it as a zero-day vulnerability, prompting administrators to check their Firebox appliances for signs of prior exploitation or compromise.
In the advisory, four IP addresses associated with attempted exploits were identified. Administrators are advised that outbound connections to these addresses indicate compromise, while inbound connections may signify reconnaissance or exploitation efforts. Furthermore, detailed logging could indicate irregularities, like abnormal IKE_AUTH request logs, which might suggest a security breach.
The versions affected by this vulnerability include Fireware OS 2025.1 up to and including 2025.1.3, as well as other legacy versions. WatchGuard has provided updated versions, but older versions, like 11.x, are classified as end-of-life and will not receive fixes.
Importantly, the company cautions that patching alone might not suffice, especially if Fireboxes were previously utilized in configurations that have since been removed. Administrators are recommended to rotate all locally stored secrets on the appliances once they confirm any signs of threat actor activity.
Historically, WatchGuard has faced situations like this before; in September, a similar vulnerability was patched, which also highlighted the risk of neglecting vulnerability management. With that incident, many Firebox appliances were found unpatched weeks after the vulnerability was disclosed, indicating a concerning trend in timely remediation by some users.
In conclusion, cybercriminals continually target vulnerabilities in firewalls and VPNs, posing significant risks to network security. Organizations using WatchGuard appliances must act swiftly to apply the necessary patches and review their security configurations to mitigate potential exploits.
For further information, you may refer to:
