WatchGuard has released fixes to address a critical security flaw in Fireware OS, which the company confirmed attackers have already exploited in real-world attacks.
Tracked as CVE-2025-14733 (CVSS score: 9.3), the vulnerability manifests as an out-of-bounds write issue in the iked process. As a result, a remote unauthenticated attacker could execute arbitrary code on affected devices.
Affected VPN Configurations
“This vulnerability affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer,” the company said in a Thursday advisory.
“If the Firebox was previously configured with the mobile user VPN with IKEv2 or a branch office VPN using IKEv2 to a dynamic gateway peer, and both of those configurations have since been deleted, that Firebox may still be vulnerable if a branch office VPN to a static gateway peer is still configured.”
The vulnerability impacts the following versions of Fireware OS:
- 2025.1 – Fixed in 2025.1.4
- 12.x – Fixed in 12.11.6
- 12.5.x (T15 & T35 models) – Fixed in 12.5.15
- 12.3.1 (FIPS-certified release) – Fixed in 12.3.1_Update4 (B728352)
- 11.x (11.10.2 up to and including 11.12.4_Update1) – End-of-Life
Observed Exploitation in the Wild
Importantly, WatchGuard acknowledged that it has observed threat actors actively attempting to exploit this vulnerability in the wild. The company traced the attacks to the following IP addresses:
Interestingly, Arctic Wolf earlier this week flagged the IP address 199.247.7[.]82 as linked to the exploitation of two recently disclosed vulnerabilities affecting Fortinet FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager (CVE-2025-59718 and CVE-2025-59719, CVSS scores: 9.8).
In addition, the Seattle-based company shared multiple indicators of compromise (IoCs) that device owners can use to determine whether attackers have compromised their Firebox instances:
- A log message stating “Received peer certificate chain is longer than 8. Reject this certificate chain” when the Firebox receives an IKE2 Auth payload with more than eight certificates
- An IKE_AUTH request log message showing an abnormally large CERT payload size (greater than 2000 bytes)
- During a successful exploit, the iked process hangs and interrupts VPN connections
- After a failed or successful exploit, the IKED process crashes and generates a fault report on the Firebox
Broader Context and Recommended Action
The disclosure arrives a little over a month after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added another critical WatchGuard Fireware OS flaw (CVE-2025-9242, CVSS score: 9.3) to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation.
At this time, researchers have not confirmed whether the two sets of attacks share any connection. Nevertheless, users should apply the latest updates as soon as possible to protect their environments.
As a temporary mitigation for devices with vulnerable Branch Office VPN (BOVPN) configurations, the company has urged administrators to disable dynamic peer BOVPNs, create an alias that includes the static IP addresses of remote BOVPN peers, add new firewall policies that allow access from the alias, and disable the default built-in policies that handle VPN traffic.
Source: TheHackerNews
Read more at Impreza News
