Blog Trainings Request a Demo Login
Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | CVE-2025-14733: WatchGuard Firebox RCE Vulnerability
Table Of Content
Related Articles
SOCRadar® Cyber Intelligence Inc. | CVE-2025-48595: June 2026 Android Security Update Fixes Framework Zero-Day
CVE-2025-48595: June 2026 Android Security Update Fixes Framework Zero-Day
Jun 03, 2026
SOCRadar® Cyber Intelligence Inc. | Charter Data Breach: ShinyHunters Claims 42 Million Records Stolen on the Dark Web
Charter Data Breach: ShinyHunters Claims 42 Million Records Stolen on the Dark Web
May 29, 2026
SOCRadar® Cyber Intelligence Inc. | April 2026: ShinyHunters Hits Medtronic and ADT as North Korean Hackers Drain DeFi Protocols
April 2026: ShinyHunters Hits Medtronic and ADT as North Korean Hackers Drain DeFi Protocols
May 29, 2026
SOCRadar® Cyber Intelligence Inc. | TrapDoor: Malicious npm, PyPI, Crates.io Packages Target Developer Secrets & AI Tooling
TrapDoor: Malicious npm, PyPI, Crates.io Packages Target Developer Secrets & AI Tooling
May 25, 2026
SOCRadar® Cyber Intelligence Inc. | CVE-2026-20223: Cisco Secure Workload Auth Bypass Grants Site Admin Access
CVE-2026-20223: Cisco Secure Workload Auth Bypass Grants Site Admin Access
May 22, 2026
Free Dark Web Report
Is your Domain/Email Exposed?
Dec 23, 2025
6 Mins Read
Moon

CVE-2025-14733: WatchGuard Firebox RCE Vulnerability

WatchGuard has disclosed a critical Remote Code Execution (RCE) vulnerability, CVE-2025-14733, affecting Firebox appliances running specific Fireware OS versions. The key detail: exploitation is tied to the IKEv2 VPN service and can be performed remotely and without authentication, which is why it’s showing up in active attack activity and why multiple security organizations are urging fast remediation.

In this blog, we will answer what this WatchGuard Firebox RCE flaw is, who is affected, how exploitation conditions work, what impact to expect, what actions reduce risk fastest, and which IoCs to use for threat hunting.

What Is CVE-2025-14733?

CVE-2025-14733 (CVSS 9.3) is an out-of-bounds write vulnerability in the iked process within WatchGuard Fireware OS. The iked daemon is responsible for handling Internet Key Exchange (IKE) negotiations used to establish IKEv2 VPN tunnels. Due to improper memory handling, a remote and unauthenticated attacker can potentially execute arbitrary code on a vulnerable device.

Details of CVE-2025-14733 (SOCRadar Labs, CVE Radar)

Details of CVE-2025-14733 (SOCRadar Labs, CVE Radar)

WatchGuard has confirmed that threat actors are actively attempting to exploit this flaw in the wild. The vulnerability carries a critical severity rating, reflecting the combination of remote reachability, lack of authentication, and high potential impact on confidentiality, integrity, and availability.

Which Firebox Models and Fireware OS Versions Are Affected by CVE-2025-14733?

WatchGuard’s advisory lists the affected ranges as:

  • Fireware OS 11.10.2 through 11.12.4_Update1
  • Fireware OS 12.0 through 12.11.5
  • Fireware OS 2025.1 through 2025.1.3

The fixes are delivered in specific versions:

  • 2025.1.4
  • 12.11.6
  • 12.5.15 (for T15/T35 model line)
  • 12.3.1_Update4 (B728352) for the FIPS-certified release line

Important Note: 11.x is end-of-life, and WatchGuard’s guidance indicates there is no forward patch for EoL trains. Thereby, organizations on 11.x should treat this as both a security incident risk and an upgrade/refresh priority.

CVE-2025-14733 added to the CISA Known Exploited Vulnerabilities (KEV) Catalog

CISA has added CVE-2025-14733 to the Known Exploited Vulnerabilities (KEV) Catalog, confirming that the vulnerability is being actively exploited and is considered a priority risk for defensive remediation. Under Binding Operational Directive (BOD) 22-01, agencies are instructed to apply mitigations or patches by December 26, 2025.

For organizations operating WatchGuard Firebox appliances, KEV listing reinforces that CVE-2025-14733 should be treated as an urgent patching and monitoring priority rather than a routine update.

CISA KEV listing for CVE-2025-14733 affecting WatchGuard Firebox

CISA KEV listing for CVE-2025-14733 affecting WatchGuard Firebox

When Does Exploitation Become Possible?

This vulnerability is tied to IKEv2 VPN handling. WatchGuard notes it affects:

  • Mobile User VPN with IKEv2, and
  • Branch Office VPN (BOVPN) using IKEv2 when configured with a dynamic gateway peer

Importantly, WatchGuard notes that even devices where vulnerable VPN configurations were previously enabled and later removed may still remain exploitable depending on the remaining VPN setup. This means organizations cannot rely solely on configuration cleanup as a mitigation. If IKEv2 has been used in certain ways in the past, patching remains the only reliable way to eliminate exposure.

What Is the Impact Upon Exploitation of CVE-2025-14733?

A successful exploit may allow an attacker to run arbitrary code on the firewall appliance. Because Firebox devices operate at the network perimeter, this level of access can have serious implications. An attacker could potentially:

  • manipulate traffic,
  • interfere with VPN connectivity,
  • or leverage the device as a foothold for further network access.

WatchGuard advises that organizations which detect evidence of exploitation should assume that locally stored secrets may be exposed. As a result, rotating VPN pre-shared keys, certificates, and other sensitive credentials stored on the device is strongly recommended after patching.

What Do External Scans Show About the Affected Scope?

Monitoring data shared by Shadowserver indicates that more than 115,000 WatchGuard Firebox devices were observed as internet-facing and potentially vulnerable to CVE-2025-14733. Even several days after patches were made available, a significant number of Firebox instances remain reachable online.

Number of WatchGuard Firebox instances exposed to CVE-2025-14733 (Shadowserver)

Number of WatchGuard Firebox instances exposed to CVE-2025-14733 (Shadowserver)

Internet-exposed VPN services on perimeter devices remain a high-value target for opportunistic scanning and exploitation, particularly during the gap between public disclosure and widespread patch adoption.

What Immediate Actions Should Organizations Using WatchGuard Firebox Take?

The highest priority action is to upgrade all affected Firebox appliances to a fixed Fireware OS version.

Where immediate patching is not possible, organizations should temporarily reduce exposure by limiting IKEv2 access, reviewing VPN configurations, and following WatchGuard’s published guidance for static peer BOVPN setups.

Security teams should also inventory their environments to identify any devices still running Fireware OS 11.x and plan upgrades or replacements.

To support effective vulnerability management in environments facing active exploitation, solutions like SOCRadar XTI help organizations streamline vulnerability tracking and patch prioritization by correlating real-world exploitation data with asset context.

SOCRadar’s Vulnerability Intelligence

SOCRadar’s Vulnerability Intelligence

By combining Cyber Threat Intelligence (CTI) and Attack Surface Management (ASM) capabilities, teams can more quickly identify exposed perimeter devices, understand which vulnerabilities are being actively targeted, and prioritize remediation efforts accordingly.

How Can Defenders Detect Exploitation Attempts or Compromise?

WatchGuard has published several indicators that can help identify potential attacks. From a behavioral standpoint, a hanging iked process that disrupts VPN negotiations is considered a strong signal of exploitation. Crashes of the iked process accompanied by fault reports may also be relevant, although they are weaker indicators on their own.

Log analysis is equally important. Indicators include messages about invalid or excessively long peer certificate chains, as well as IKE_AUTH requests containing abnormally large certificate payloads. These patterns are uncommon during normal operations and should be investigated promptly.

Indicators of Compromise (IoCs) Related to WatchGuard Firebox RCE Vulnerability

The following IoCs have been shared by WatchGuard to assist with threat hunting and incident response. Outbound connections from a Firebox to these IP addresses are considered strong indicators of compromise, while inbound connections may indicate reconnaissance or exploitation attempts.

Suspicious IP addresses:

  • 45.95.19.50
  • 51.15.17.89
  • 172.93.107.67
  • 199.247.7.82

Log-based indicators:

  • Errors indicating that a received peer certificate chain exceeds expected length
  • IKE_AUTH requests with unusually large CERT payload sizes

Device behavior indicators:

  • iked process hangs that interrupt VPN negotiations or re-keying
  • iked process crashes followed by fault report generation