WatchGuard Addresses Actively Exploited Firewall Zero-Day Vulnerability

In a concerning development, a zero-day vulnerability affecting WatchGuard Firebox firewalls is under active exploitation by cybercriminals aiming to execute remote code. A patch has been released to address this critical issue.

According to WatchGuard’s security alert, threat actors have been seen exploiting this vulnerability in real-world scenarios. The flaw has been assigned a CVSS score of 9.3 and is classified as CVE-2025-14733.

Recent scans performed by The Shadowserver Foundation revealed nearly 125,000 unpatched devices, with the highest concentration found in the United States (38,300), followed by Germany (14,000) and Italy (12,300). By Sunday, the total number of vulnerable devices decreased by 6%, landing at 117,490.

WatchGuard, based in Seattle, provides firewall solutions to over 250,000 small and midsize enterprises, schools, and government agencies worldwide, securing approximately 10 million endpoints. The impact of this vulnerability is significant; these devices are not only firewalls but also serve as VPN concentrators, intrusion prevention systems, and essential defense mechanisms for organizations.

The vulnerability poses a serious threat, attracting attention from a wide array of attackers ranging from state-sponsored actors to cybercriminal syndicates, including those engaging in ransomware operations. The risk underscores the critical nature of securing edge devices.

In response to the vulnerability, WatchGuard has released Fireware OS versions 2025.1.4, 12.11.6, 12.5.15, and 12.3.1_Update4 to remediate the issue. However, the vendor has stated that version 11.x, which also contains the flaw, will not receive further updates as it is no longer supported.

Recognizing the urgency, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included CVE-2025-14733 in its Known Exploited Vulnerabilities catalog, mandating federal agencies to address the flaw by Friday either through patches or by discontinuing the use of vulnerable products.

Organizations that detect unusual activities on their devices are advised to go beyond mere patching. WatchGuard emphasizes that it is imperative for administrators to change all locally stored secrets on compromised Firebox devices. They have provided detailed guidance for this process.

The identified out-of-bounds write vulnerability exists within the WatchGuard Fireware OS’s iked process, responsible for establishing IPSec connections. This flaw could allow attackers to execute remote code or crash systems. It particularly impacts configurations of Mobile User VPN with IKEv2 and Branch Office VPNs utilizing dynamic gateways, which may still retain vulnerabilities even if certain configurations are removed.

Indicators of potential compromise include inbound connections from specific published IP addresses and signs of the IKE daemon suddenly freezing or failing, interrupting VPN activities. These signs should prompt immediate investigation and action to safeguard network integrity.