WatchGuard Firebox Under Active Attack: What We Know About CVE-2025-14733

WatchGuard published a PSIRT advisory (WGSA-2025-00027) warning that attackers are actively trying to exploit a flaw in Fireware OS’s IKE service. In practical terms: if a Firebox is vulnerable and exposed, the flaw could enable an attacker to run code on the firewall without needing valid credentials.

This vulnerability affects Fireboxes when IKEv2 VPN is used in certain setups:

• Mobile User VPN with IKEv2, and/or

• Branch Office VPN (BOVPN) using IKEv2, when configured with a dynamic gateway peer

Important detail from WatchGuard: even if those dynamic-peer configs were deleted, a device may still be vulnerable if a BOVPN to a static gateway peer remains configured.

WatchGuard’s advisory describes post-exploit behavior they’ve observed, including attempts to:

• Encrypt and exfiltrate the active configuration file, or

• Create a gzip archive of the active configuration + local management user database and exfiltrate it (often back to the same origin IP as the attack).

They also published Indicators of Attack (IoAs) to help spot suspicious activity, including several IPs tied to known threat activity and specific IKE daemon log patterns.

WatchGuard released patched Fireware versions and urged immediate upgrades. The vendor’s guidance lists these as the upgrade targets:

• Fireware 2025.1.4 or higher

• Fireware 12.11.6 or higher

• Fireware 12.5.15 or higher

• Fireware 12.3.1 Update 4 or higher (notably for some FIPS-mode scenarios)

CISA also added CVE-2025-14733 to the Known Exploited Vulnerabilities (KEV) catalog, which is a strong “this is being used in real attacks” signal. (CISA’s federal patch deadline for this one was Dec 26, 2025, which has now passed.)