A zero-day vulnerability in WatchGuard Firebox firewalls is under active exploitation, marking the latest attacks against edge devices this month.
WatchGuard disclosed the vulnerability, tracked as CVE-2025-14733, on Thursday, and the Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities (KEV) catalog the following day. CVE-2025-14733 is a critical out-of-bounds write vulnerability in WatchGuard’s Fireware OS that if exploited can enable remote code execution on Firebox devices.
CVE-2025-14733 affects Fireware OS version 11.10.2, including 11.12.4_Update1, version12.0 or higher, and version 2025.1 and higher. According to WatchGuard’s advisory, the flaw impacts both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer.
“If the Firebox was previously configured with the mobile user VPN with IKEv2 or a branch office VPN using IKEv2 to a dynamic gateway peer, and both of those configurations have since been deleted, that Firebox may still be vulnerable if a branch office VPN to a static gateway peer is still configured,” the advisory stated.
WatchGuard is the latest edge device vendor to be targeted by threat actors this month. Last week, CISA added a critical Fortinet FortiGate flaw, tracked as CVE-2025-59718, to its KEV catalog shortly after the vulnerability was discovered. Meanwhile, threat actors targeted SonicWall’s SMA1000 appliances last week via the exploitation of a zero-day privilege escalation vulnerability.
In a blog post Thursday, WatchGuard product manager Matthew Terry said the vulnerability was discovered through an internal investigation and urged customers to patch the flaw as soon as possible.
“Threat actors are attempting to exploit this vulnerability as part of a wider attack campaign against edge networking equipment and exposed infrastructure from multiple vendors,” Terry wrote in the blog post. “Therefore, we urge you to immediately upgrade any Firebox appliances that you own or manage.”
Dark Reading contacted WatchGuard for further comment regarding the exploitation activity and clarification on Terry’s reference to “a wider attack campaign.” WatchGuard did not respond to the questions but provided the following statement:
“On 15 December, through internal investigation, WatchGuard identified a new critical Fireware OS vulnerability detailed in CVE-2025-14733 and WatchGuard Security advisory WGSA-2025-0027. A patch was quickly made available on 18 December. Since the fix became available, our partners and end-users have been actively patching affected Firebox appliances. We continue to strongly encourage timely patching as a core best practice in security hygiene.
“Threat actors are actively exploiting this vulnerability as part of a wider attack campaign against edge networking and exposed infrastructure from multiple vendors. We are prioritizing a fast, frictionless patching experience to help customers secure their environments without disruption.”
Firebox Devices Under Fire
WatchGuard said it has “observed threat actors actively attempting to exploit this vulnerability in the wild,” and included indicators of compromise (IoCs) in the advisory, including four IP addresses.
“Outbound connections to these IPs are a strong indicator of compromise,” the advisory said. “Inbound connections from these IPs could indicate reconnaissance efforts or exploit attempts.”
Because CVE-2025-14733 affects the IKED process (Internet Key Exchange Daemon) in the Fireware OS, WatchGuard urged customers to review their devices for unusual activity with the process. “During a successful exploit, the IKED process (responsible for handling IKE negotiations) will hang, interrupting VPN tunnel negotiations and re-keys,” the advisory said. “This is a strong indicator of attack. Existing tunnels may continue to pass traffic.”
In lieu of patching, WatchGuard offered a temporary workaround for customers with Firebox devices that are only configured with Branch Office VPN tunnels to static gateway peers.
On Sunday, the Shadowserver Foundation said its scans revealed nearly 125,000 IP addresses for vulnerable Firebox devices across the globe, with more than 35,000 located in the US.
