Critical WatchGuard Fireware OS Vulnerability (CVE‑2025‑14733): Active Exploitation and Emergency Patch Guidance

Cybersecurity Advisory

As of December 19, 2025, WatchGuard Fireware OS is impacted by a critical out‑of‑bounds write vulnerability, CVE‑2025‑14733, actively exploited in the wild according to the vendor’s advisory [1]. The flaw affects IKEv2 Mobile User VPN and Branch Office VPN configurations involving dynamic gateway peers. Patch updates are available for supported versions, and exploitation attempts have been confirmed from multiple IPs. The vulnerability carries a CVSS v4.0 score of 9.3, with mapped weakness CWE‑787, based on NVD and WatchGuard data [2][3].

Overview

CVE‑2025‑14733 is an out‑of‑bounds write in the Fireware OS iked process. According to WatchGuard’s security bulletin [1], remote unauthenticated attackers can trigger memory corruption via malformed IKEv2 VPN payloads. NVD’s CVE entry describes the same condition and confirms the out‑of‑bounds write behavior and affected configuration scenarios [2].

Impact

Successful exploitation leads to remote code execution on Firebox appliances with no authentication required, as confirmed by NHS England CSOC and CERT Santé France [3][4]. Attack vector is network‑based, with low complexity and no user interaction. The vulnerability enables full compromise of the firewall control plane, allowing attackers to pivot into protected networks.

Affected Products & Versions

According to WatchGuard and NVD [1][2][4]:

  • Fireware OS 11.10.2 – 11.12.4_Update1 (end‑of‑life)
  • Fireware OS 12.0 – 12.11.5 (fixed in 12.11.6)
  • Fireware OS 12.3.1 (FIPS) prior to 12.3.1_Update4
  • Fireware OS 12.5.x (T15 & T35) prior to 12.5.15
  • Fireware OS 2025.1.x prior to 2025.1.4

Exposure persists even if dynamic peer configurations were removed, provided a static gateway peer BOVPN remains configured, according to WatchGuard [1].

Exposure & Exploitability

WatchGuard confirmed active exploitation attempts from multiple IP addresses, including 45.95.19[.]50, 51.15.17[.]89, 172.93.107[.]67, and 199.247.7[.]82 [1]. Arctic Wolf has linked at least one of these IPs to other Fortinet VPN exploits, suggesting potential cross‑vendor targeting patterns [1].

NVD classifies the condition under CWE‑787 and provides a CVSS v4.0 vector indicating critical impact on confidentiality, integrity, and availability [2]. CERT Santé confirms the following exploit characteristics [4]:

  • Attack vector: Network
  • Privileges required: None
  • Complexity: Low
  • User interaction: None
  • No open‑source PoC publicly available

Detection & Telemetry

WatchGuard provided explicit IOCs [1]:

  • Log message: “Received peer certificate chain is longer than 8. Reject this certificate chain”
  • IKE_AUTH request containing a CERT payload larger than 2000 bytes
  • Hanging iked process disrupting VPN connections
  • Crash and fault report generation after exploit attempts

Security teams should monitor Firebox logs for anomalous IKEv2 certificate payload sizes and unexpected iked restarts.

Mitigations & Patching

Immediate upgrade is the recommended mitigation according to WatchGuard PSIRT [1] and CERT Santé [4]. Required minimum versions:

  • 12.11.6
  • 12.5.15
  • 12.3.1_Update4
  • 2025.1.4

Temporary mitigations for vulnerable BOVPN configurations (per WatchGuard guidance [1]):

  • Disable dynamic peer BOVPNs.
  • Create an alias including static IPs of remote peers.
  • Add firewall policies permitting access only from this alias.
  • Disable default VPN traffic‑handling policies.

Timeline

  • September 2025: Related Fireware OS out‑of‑bounds iked vulnerabilities (CVE‑2025‑9242) patched but later added to KEV [5].
  • December 19, 2025: WatchGuard confirms CVE‑2025‑14733 exploitation and releases updated firmware [1].

References

  1. WatchGuard PSIRT Advisory WGSA‑2025‑00027 – WatchGuard official bulletin https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00027
  2. NVD – Official CVE‑2025‑14733 Entry https://nvd.nist.gov/vuln/detail/CVE-2025-14733
  3. NHS England CSOC – Advisory CC‑4733 https://digital.nhs.uk/cyber-alerts/2025/cc-4733
  4. CERT Santé France – CVE‑2025‑14733 Advisory https://cyberveille.esante.gouv.fr/alertes/watchguard-firebox-cve-2025-14733-2025-12-19
  5. CISA KEV Catalog – WatchGuard Fireware OS (referencing CVE‑2025‑9242) https://www.cisa.gov/known-exploited-vulnerabilities
Jordan Rogers

Jordan is the Vice President of Operations at Léargas Security. Jordan’s impressive background includes 10+ years of experience in managing complex security operations, developing and implementing effective security strategies, and leading cross-functional teams to achieve outstanding results. His expertise in incident response, threat hunting, and vulnerability assessment will be invaluable in helping us strengthen our clients' defenses against emerging threats.

Recommended Posts

Fortinet Authentication Bypass Vulnerabilities Exploited
Critical Dell RecoverPoint Vulnerability (CVE‑2026‑22769): Active Exploitation and Patch Guidance
AI‑Driven Threat Intelligence: OSINT, XDR Integration, and Local LLM Processing
FortiOS SSL VPN Improper Authentication Vulnerability (CVE-2020-12812): Active Exploitation and Immediate Mitigation Guidance