Over 115,000 WatchGuard Firebox devices remain vulnerable to a critical remote code execution (RCE) flaw, tracked as CVE-2025-14733. This security vulnerability allows unauthenticated attackers to execute arbitrary code on affected devices, posing significant risks to organizations worldwide. The flaw primarily impacts Firebox firewalls running Fireware OS versions 11.x and later, including 11.12.4_Update1, and 12.x or later, as well as the 2025.1 series up to and including 2025.1.3.
The vulnerability has been actively exploited in attacks, prompting urgent action from cybersecurity authorities. According to a Thursday advisory from WatchGuard, unpatched devices are susceptible to attacks only if configured for IKEv2 VPN. Even if the vulnerable settings are removed, the firewalls may still be at risk if a Branch Office VPN (BOVPN) connection to a static gateway peer is configured.
Details of the Vulnerability
The National Vulnerability Database (NVD) describes the flaw as an out-of-bounds write vulnerability within the OS iked process. This weakness affects both mobile user VPNs and branch office VPNs using IKEv2. The potential for remote code execution without user interaction makes this flaw particularly concerning for network security.
On Saturday, the Internet security watchdog group Shadowserver reported finding over 124,658 unpatched Firebox instances exposed online, with 117,490 still vulnerable the following day. Just one day after WatchGuard released patches for this critical flaw, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-14733 to its Known Exploited Vulnerabilities (KEV) Catalog.
CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies, including the Departments of Energy, Treasury, and Homeland Security, patch their Firebox firewalls by December 26. This directive aligns with the Binding Operational Directive (BOD) 22-01 aimed at mitigating risks associated with known vulnerabilities. CISA emphasized that such vulnerabilities are frequent targets for malicious cyber actors and can pose significant risks to federal networks.
Mitigation and Recommendations
In response to the ongoing threat, WatchGuard has shared indicators of compromise to assist customers in identifying potentially compromised Firebox appliances. The company advises organizations that detect signs of malicious activity to rotate all stored secrets on affected firewalls. For those unable to immediately patch their vulnerable devices, WatchGuard has provided a temporary workaround. This includes disabling dynamic peer BOVPNs, implementing new firewall policies, and disabling default system policies managing VPN traffic.
Historically, WatchGuard has faced similar vulnerabilities in its products. In September, the company addressed another RCE vulnerability, CVE-2025-9242, which also affected Firebox firewalls. Shadowserver had previously identified over 75,000 vulnerable devices, primarily located in North America and Europe. CISA later acknowledged this flaw as actively exploited and ordered federal agencies to secure their Firebox appliances.
Two years ago, CISA instructed U.S. government agencies to patch another actively exploited vulnerability affecting WatchGuard products. The consistent emergence of these security flaws underscores the importance of timely updates and vigilant monitoring for organizations utilizing WatchGuard firewalls.
WatchGuard collaborates with over 17,000 security resellers and service providers, protecting the networks of more than 250,000 small and mid-sized companies across the globe. As cyber threats continue to evolve, the necessity for robust security measures and prompt updates remains paramount for safeguarding sensitive data and ensuring network integrity.