Overview

  • CVE: CVE-2025-14733
  • Severity: Critical
  • Date: 23 Dec 2025

Summary

WatchGuard has released urgent updates to address a critical Out-of-bounds Write vulnerability (CVE-2025-14733) in the Fireware OS iked process. This flaw allows a remote unauthenticated attacker to execute arbitrary code. WatchGuard has confirmed that threat actors are actively attempting to exploit this vulnerability in the wild.

Affected Versions

  • Fireware OS 11.10.2 up to and including 11.12.4_Update
  • Fireware OS 12.0 up to and including 12.11.5
  • Fireware OS 2025.1 up to and including 2025.1.3

Vulnerability Breakdown

CVE-2025-14733

  • Severity: Critical
  • CVSS: 9.3
  • Description: An Out-of-bounds Write vulnerability in the WatchGuard Fireware OS iked process may allow a remote unauthenticated attacker to execute arbitrary code.
  • Impact: Remote code execution (RCE) allowing full system compromise.
  • Conditions: This vulnerability affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer.

Mitigation

  • Upgrade to the resolved Fireware OS versions immediately:
    • 2025.1: Upgrade to 2025.1.4
    • 12.x: Upgrade to 12.11.6
    • 12.5.x (T15 & T35): Upgrade to 12.5.15
    • 12.3.1 (FIPS): Upgrade to 12.3.1_Update4
  • If immediate upgrade is not possible, follow WatchGuard’s recommendations for securing Branch Office VPNs.
  • This aligns with the Australian Cyber Security Centre (ACSC) Essential Eight ‘Patch Applications’ strategy.

Summary for IT Teams

  • Products: WatchGuard Firebox
  • Threat Level: Critical, CVSS 9.3
  • Action Required:
    • Apply the latest Fireware OS updates immediately.
      • If active exploitation is suspected, rotate all locally stored secrets.

Reference

Need Help?

If your organisation requires assistance identifying affected systems, enforcing browser updates or reviewing browser security policies, please contact our SOC team via soc@secure-iss.com.