What is WatchGuard Firebox?
WatchGuard Firebox is a series of enterprise network firewall and unified threat management (UTM) appliances used by small and medium businesses and enterprises for perimeter security, VPN, and network filtering. Fireware OS is the operating system running on Firebox hardware. The IKE (Internet Key Exchange) daemon (iked) handles VPN key negotiation for both Mobile User VPN (IKEv2) and Branch Office VPN (BOVPN) using IKEv2. Because Firebox appliances are internet-facing VPN gateways, a pre-authentication vulnerability in the IKE service is directly reachable by any attacker with network access to the device.
Overview
CVE-2025-14733 is a critical out-of-bounds write vulnerability (CWE-787, CVSS 9.8) in WatchGuard Fireware OS's IKE daemon (iked). A crafted IKE_AUTH request containing an abnormally large CERT payload (over 2,000 bytes) or a peer certificate chain longer than 8 certificates triggers the out-of-bounds write, causing iked to crash and enabling potential arbitrary code execution. WatchGuard confirmed active exploitation in the wild as a zero-day before the advisory was published. Approximately 117,490 internet-facing Firebox appliances were exposed at time of disclosure. CISA issued a 7-day Christmas deadline (December 26, 2025). Post-exploitation activity included configuration file and database exfiltration.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Fireware OS 12.x | 12.0 through 12.11.5 | 12.11.6 |
| Fireware OS 12.5.x (T15/T35) | 12.5.x through 12.5.14 | 12.5.15 |
| Fireware OS 2025.1.x | 2025.1.0 through 2025.1.3 | 2025.1.4 |
| Fireware OS 11.x | All versions (End of Life) | No fix — replace hardware |
| Fireware OS 12.3.x (FIPS) | All affected builds | 12.3.1_Update4 / B728352 |
Attack condition: Vulnerable only when Mobile User VPN with IKEv2 or Branch Office VPN with IKEv2 using a dynamic gateway peer is configured.
Technical Details
The vulnerability (CWE-787: Out-of-Bounds Write) is in the iked process. The IKEv2 protocol uses an IKE_AUTH exchange where peers optionally send certificates in CERT payloads. The iked process fails to validate the size of incoming CERT payloads or the length of certificate chains before writing them to an internal buffer. An attacker sends a crafted IKEv2 IKE_AUTH packet with:
- A CERT payload larger than 2,000 bytes (beyond the allocated buffer), or
- A peer certificate chain containing more than 8 certificates
This triggers an out-of-bounds write to heap memory. The iked process crashes and hangs, disrupting all VPN connections relying on IKEv2. A successful exploit achieves arbitrary code execution in the iked process context.
Indicators of attack: IKE_AUTH log messages showing CERT payload sizes exceeding 2,000 bytes; subsequent iked process crash and generation of a fault report file. Legitimate IKEv2 sessions use certificate payloads well under this size.
Discovery
No specific external researcher credited in the advisory. WatchGuard confirmed active exploitation before the December 18, 2025 advisory.
Exploitation Context
WatchGuard confirmed active zero-day exploitation as part of a wider attack campaign targeting edge networking equipment across multiple vendors in December 2025. Shadowserver Foundation data showed approximately 117,490 internet-exposed vulnerable WatchGuard Firebox instances at time of disclosure — 35,600+ in the US, 13,000 in Germany, 11,300 in Italy, 9,000 in the UK. Post-exploitation activity observed: configuration file exfiltration and database theft. CISA added CVE-2025-14733 to the KEV catalog on December 19, 2025 with a 7-day deadline (December 26 — the day after Christmas), indicating urgent federal network exposure. No specific threat actor has been publicly named.
Remediation
- Upgrade Fireware OS immediately: 12.11.6 (12.x), 12.5.15 (T15/T35 hardware), 2025.1.4, or 12.3.1_Update4 (FIPS).
- Firebox running Fireware 11.x (End of Life): no patch is available — upgrade to supported hardware running Fireware 12.x or 2025.x.
- Check IKE logs for attack indicators: filter for
IKE_AUTHmessages with CERT payload size > 2,000 bytes; check forikedfault reports or unexpected process restarts. - Temporarily disable IKEv2 VPN if patching is not immediately possible: switch Mobile User VPN to IKEv1 or SSL VPN, and change BOVPN tunnels to use IKEv1 or non-dynamic peers to remove the attack surface.
- Review configuration and database files for unauthorized access or modification — post-exploitation exfiltration of these files was observed in the wild.
- Follow WatchGuard's advisory guidance at WGSA-2025-00027 for additional compromise detection steps.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2025-14733 |
| Vendor / Product | WatchGuard — Firebox |
| NVD Published | 2025-12-19 |
| NVD Last Modified | 2025-12-23 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-787 find similar ↗ |
| CISA KEV Added | 2025-12-19 |
| CISA KEV Deadline | 2025-12-26 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2025-12-18 | WatchGuard discloses active exploitation of zero-day; advisory WGSA-2025-00027 published |
| 2025-12-19 | CVE published; CISA adds to KEV catalog with 7-day Christmas deadline (Dec 26) |
| 2025-12-26 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| WatchGuard Security Advisory WGSA-2025-00027 | Vendor Advisory |
| NVD — CVE-2025-14733 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| BleepingComputer — Over 115,000 WatchGuard Firewalls Vulnerable to RCE Attacks | News |
| WatchGuard Warns of Active Exploitation CVE-2025-14733 | News |
| Help Net Security — WatchGuard Firebox CVE-2025-14733 | Security Research |
| Kudelski Security — WatchGuard IKEv2 Critical Vulnerability Analysis | Security Research |