Essential RCE flaw impacts over 115,000 WatchGuard firewalls

Over 115,000 WatchGuard Firebox units uncovered on-line stay unpatched towards a vital distant code execution (RCE) vulnerability actively exploited in assaults.

The security flaw, tracked as CVE-2025-14733, impacts Firebox firewalls working Fireware OS 11.x and later (together with 11.12.4_Update1), 12.x or later (together with 12.11.5), and 2025.1 as much as and together with 2025.1.3.

Profitable exploitation allows unauthenticated attackers to execute arbitrary code remotely on susceptible units, following low-complexity assaults that do not require consumer interplay.

As WatchGuard defined in a Thursday advisory, when it launched CVE-2025-14733 security updates and tagged it as exploited within the wild, unpatched Firebox firewalls are solely susceptible to assaults if configured for IKEv2 VPN. It additionally warned that even when susceptible configurations are eliminated, the firewall should be in danger if a Department Workplace VPN (BOVPN) to a static gateway peer remains to be configured.

“WatchGuard Fireware OS iked course of incorporates an out of bounds write vulnerability within the OS iked course of,” an NVD advisory explains. “This vulnerability could enable a distant unauthenticated attacker to execute arbitrary code and impacts each the cellular consumer VPN with IKEv2 and the department workplace VPN utilizing IKEv2 when configured with a dynamic gateway peer.”

WatchGuard has shared indicators of compromise to assist clients determine compromised Firebox home equipment on their community, advising those that discover indicators of malicious exercise to rotate all domestically saved secrets and techniques on susceptible firewalls. It additionally supplied a short lived workaround for community defenders who cannot instantly patch susceptible units, requiring them to disable dynamic peer BOVPNs, add new firewall insurance policies, and disable the default system insurance policies that deal with VPN site visitors.

On Saturday, the Web security watchdog group Shadowserver discovered over 124,658 unpatched Firebox cases uncovered on-line, with 117,490 nonetheless uncovered on Sunday.

​In the future after WatchGuard launched patches, CISA added CVE-2025-14733 to its Identified Exploited Vulnerabilities (KEV) Catalog.

The U.S. cybersecurity company additionally ordered Federal Civilian Govt Department (FCEB) companies (government department non-military companies, such because the Division of Vitality, the Division of the Treasury, and the Division of Homeland Safety) to patch Firebox firewalls inside every week, by December twenty sixth, as mandated by the Binding Operational Directive (BOD) 22-01.

“This sort of vulnerability is a frequent assault vector for malicious cyber actors and poses important dangers to the federal enterprise,” CISA warned. “Apply mitigations per vendor directions, observe relevant BOD 22-01 steerage for cloud providers, or discontinue use of the product if mitigations are unavailable.”

In September, WatchGuard patched an virtually equivalent RCE vulnerability (CVE-2025-9242) impacting Firebox firewalls. One month later, Shadowserver discovered over 75,000 Firebox firewalls susceptible to CVE-2025-9242 assaults, most in North America and Europe, with CISA later tagging the security flaw as actively exploited within the wild and ordering federal companies to safe their Firebox home equipment from ongoing assaults.

Two years in the past, CISA additionally ordered U.S. authorities companies to patch one other actively exploited WatchGuard flaw (CVE-2022-23176) impacting Firebox and XTM firewall home equipment.

WatchGuard works with over 17,000 security resellers and repair suppliers to guard the networks of greater than 250,000 small and mid-sized firms worldwide.