19.12.2025
2 min
415
More than 115,000 internet-exposed WatchGuard Firebox firewalls remain vulnerable to a critical remote code execution (RCE) flaw that is actively exploited in the wild. The vulnerability allows unauthenticated attackers to fully compromise affected devices without user interaction.
Tracked as CVE-2025-14733, the vulnerability affects WatchGuard Firebox appliances running Fireware OS versions 11.x, 12.x, and 2025.1. Successful exploitation enables remote attackers to execute arbitrary code, effectively granting full control over the firewall and the protected network.
According to WatchGuard, exploitation is possible when IKEv2 VPN is enabled. Configurations using dynamic BOVPN peers are particularly exposed, as devices may remain vulnerable even after partial VPN reconfiguration. The flaw stems from an out-of-bounds write issue in the iked process responsible for handling VPN traffic.
Shadowserver researchers reported more than 124,000 exposed Firebox instances, with over 117,000 still reachable online days after patches were released.
WatchGuard released security updates and shared indicators of compromise (IoCs) to help organizations detect affected devices. Customers are advised to rotate all locally stored secrets on potentially compromised firewalls. For those unable to patch immediately, temporary mitigations include disabling dynamic BOVPNs, adjusting firewall policies, and blocking default VPN traffic rules.
CISA added CVE-2025-14733 to its Known Exploited Vulnerabilities (KEV) Catalog and ordered US federal civilian agencies to remediate the flaw within one week under Binding Operational Directive 22-01.
The WatchGuard Firebox case highlights the ongoing risk posed by exposed VPN services on perimeter devices. When exploited at scale, such vulnerabilities turn security appliances into high-impact entry points, reinforcing the need for continuous monitoring, rapid patching, and strict VPN configuration hygiene.
