What happened
WatchGuard has released an urgent security update for a critical vulnerability in its Firebox firewall appliances. Tracked as CVE-2025-14733, the flaw is an out-of-bounds write bug in the Fireware OS IKEv2 VPN service that can allow unauthenticated remote code execution (RCE) on affected devices. Evidence indicates threat actors are already attempting exploitation in the wild, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the issue to its Known Exploited Vulnerabilities (KEV) catalog, imposing a December 26 patch deadline for federal agencies.Â
Who is affected
- WatchGuard Firebox firewalls running Fireware OS versions: 11.x up through 11.12.4_Update1, 12.x through 12.11.5, and 2025.1 through 2025.1.3.Â
- Devices with Mobile User VPN or Branch Office VPN using IKEv2, especially with dynamic gateway peers.Â
- Organizations globally that deploy these firewalls, particularly those with remote access VPNs, are at risk. WatchGuard serves a broad base of small/medium enterprises and MSPs worldwide.Â
Why CISOs should care
This vulnerability has a CVSS score of 9.3 (critical) and allows attackers to execute arbitrary code without authentication, potentially leading to full device compromise or lateral network access.
Active exploitation attempts have been observed, elevating the urgency beyond theoretical risk.
Inclusion in CISA’s KEV catalog means regulatory and compliance pressure, including mandatory deadlines for U.S. federal entities, and increases the likelihood of broader threat actor interest.Â
3 practical actions
- Patch immediately: Apply WatchGuard’s released Fireware OS updates to all vulnerable Firebox appliances after testing.
- Audit VPN configs and logs: Review IKEv2 VPN settings and inspect logs for unusual patterns or known indicators of attack tied to this exploit.
- Harden interim defenses: If patches cannot be applied instantly, consider disabling dynamic peer BOVPNs, tightening firewall policies, and isolating exposed perimeter devices until patched.