CVE-2025-14733 – Critical WatchGuard Fireware OS IKEv2 Vulnerability

An out-of-bounds write flaw exists in the WatchGuard Fireware OS iked (IKE daemon) process, affecting Firebox firewall appliances. This memory corruption issue allows a remote, unauthenticated attacker to send specially crafted IKEv2 packets to the device and potentially execute arbitrary code without requiring credentials or user interaction, creating a critical Remote Code Execution (RCE) risk. The vulnerability impacts both Mobile User VPN with IKEv2 and Branch Office VPN using IKEv2 when configured with a dynamic gateway peer, and remains exploitable even on some systems where those configurations were previously removed due to residual settings.

CVE-2025-14733 affects WatchGuard Firebox appliances running Fireware OS versions 11.10.2 through 11.12.4_Update1, 12.0 through 12.11.5, and 2025.1 through 2025.1.3. The flaw has been assigned a CVSS v4.0 base score of 9.3 (Critical), emphasizing the severity of the risk and the need for immediate attention from network operators.

Security researchers and national cybersecurity authorities have confirmed that threat actors are actively scanning and attempting exploits against internet-facing Firebox devices, with monitoring data showing hundreds of thousands of potentially vulnerable appliances still exposed online since the disclosure.

Because Firebox firewalls often operate at the perimeter of enterprise networks and provide remote access via VPNs, a successful compromise can have serious consequences — including unauthorized access to internal network resources, disruption of VPN connectivity, manipulation of firewall policies, or persistent footholds for further intrusion.

WatchGuard has published Security Advisory WGSA-2025-00027 with details on the vulnerability and resolutions, and has made patched Fireware OS versions available (e.g., 2025.1.4, 12.11.6, 12.5.15, and 12.3.1_Update4) to address the issue. Network administrators are strongly urged to apply these updates immediately.

Given the risk of exposure and active exploitation, organizations should also review VPN configurations, monitor for anomalous IKEv2 traffic, rotate VPN credentials after patching, and apply defense-in-depth monitoring across their network perimeters rather than treating this as a routine update.

Sources & References:

• WatchGuard Security Advisory – WGSA-2025-00027 (Official vendor advisory) watchguard
• National Vulnerability Database – CVE-2025-14733 details (NVD) nvd.nist.gov
• Cybernews report on vulnerable Firebox devices and active scanning cybernews
• socradar.io analysis on CISA KEV listing and exploitation risks socradar.io
• WatchGuard Fireware updates addressing CVE-2025-14733 watchguard