Published: Tue 23 December 2025 | Prepared by: Brandon Sawyer, Vulnerability Analyst
An Out-of-bounds write vulnerability has been disclosed in WatchGuard Fireware OS which may allow a remote unauthenticated threat actor to execute arbitrary code, tracked as CVE-2025-14733. It affects both the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer and is rated CVSSv4 9.3 (Critical). The Australian Cyber Security Centre (ACSC) has issued a Critical alert and recommends immediate patching.
CVE-2025-14733 is an Out-of-bounds write vulnerability in the WatchGuard Fireware OS Internet Key Exchange Daemon (IKED) process, which may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer. If the Firebox was previously configured with the mobile user VPN with IKEv2 or a branch office VPN using IKEv2 to a dynamic gateway peer, and both of those configurations have since been deleted, that Firebox may still be vulnerable if a branch office VPN to a static gateway peer is still configured.
CVE-2025-14733 affects Fireware OS:
WatchGuard has observed threat actors actively attempting to exploit this vulnerability in the wild so urgency in patching of internet facing Fireware OS devices, if necessary, is highly recommended.
Successful exploitation can give a threat actor the ability to execute arbitrary code, leading to:
Because this is unauthenticated and remote, internet-facing services using affected WatchGuard Fireware OS versions are at very high risk.
Apply patches immediately (recommended)
| Vulnerable Version | Resolved Version |
|---|---|
| 2025.1 | 2025.1.4 |
| 12.x | 12.11.6 |
| 12.5.x (T15 & T35 models) | 12.5.15 |
| 12.3.1 (FIPS-certified release) | 12.3.1_Update4 (B728352) |
| 11.x | End of Life |
If you cannot patch immediately (short-term risk reduction only)
If your Firebox is only configured with Branch Office VPN tunnels to static gateway peers and you are not able to immediately upgrade the device to a version of Fireware OS with the vulnerability resolution, you can follow WatchGuard’s recommendations for Secure Access to Branch Office VPNs that Use IPSec and IKEv2 as a temporary workaround.
WatchGuard has provided a few key Indicators of Attack (IoAs) to assist device owners to identify any potential attempts to exploit this vulnerability against vulnerable firebox appliances.
WatchGuard reports the following IP addresses are directly associated with known threat actor activity. Outbound connections to these IPs are a strong indicator of compromise. Inbound connections from these IPs could indicate reconnaissance efforts or exploit attempts.
Abnormally large IKE_AUTH request CERT payload (logs)
With the IKED diagnostic logging set to the info logging level, the IKED process generates a log message when the Firebox receives an IKE_AUTH request message. An IKE_AUTH request log message with an abnormally large CERT payload size (greater than 2000 bytes) is a strong indicator of an attack
Invalid peer certificate chain (logs)
With the IKED diagnostic logging set to the default error logging level, the IKED process generates a log message when the Firebox receives an IKEv2 Auth payload with more than 8 certificates. This is a medium indicator of attack that the WatchGuard Threat Lab has observed associated with some threat actor activity.
IKE process hang (device behaviour)
During a successful exploit, the IKED process (responsible for handling IKE negotiations) will hang, interrupting VPN tunnel negotiations and re-keys. This is a strong indicator of attack. Existing tunnels may continue to pass traffic.
IKE process crash (device behaviour)
After a failed or successful exploit, the IKED process will crash and generate a fault report on the Firebox. Be aware, there are other situations that could cause the IKED process to crash. This is a weak indicator of attack.
Triskele Labs support
MDR customers: Triskele Labs is actively monitoring for behaviours consistent with exploitation of CVE-2025-14733 across supported log sources and IoCs.