Critical WatchGuard Fireware OS Vulnerability Under Active Exploitation
WatchGuard has recently addressed a critical security flaw in its Fireware OS, identified as CVE-2025-14733, which has been actively exploited in real-world attacks. This vulnerability, with a CVSS score of 9.3, is an out-of-bounds write issue affecting the ‘iked’ process. It allows remote, unauthenticated attackers to execute arbitrary code on affected devices.
The flaw impacts both mobile user VPNs utilizing IKEv2 and branch office VPNs configured with a dynamic gateway peer. Even if these configurations have been deleted, devices may remain vulnerable if a branch office VPN to a static gateway peer is still active.
Affected Fireware OS Versions:
– 2025.1: Fixed in 2025.1.4
– 12.x: Fixed in 12.11.6
– 12.5.x (T15 & T35 models): Fixed in 12.5.15
– 12.3.1 (FIPS-certified release): Fixed in 12.3.1_Update4 (B728352)
– 11.x (11.10.2 up to and including 11.12.4_Update1): End-of-Life
WatchGuard has observed active exploitation attempts originating from the following IP addresses:
– 45.95.19[.]50
– 51.15.17[.]89
– 172.93.107[.]67
– 199.247.7[.]82
Notably, the IP address 199.247.7[.]82 has also been linked to recent exploitation of vulnerabilities in Fortinet products, suggesting a potentially coordinated attack campaign.
Indicators of Compromise (IoCs):
– Log message: Received peer certificate chain is longer than 8. Reject this certificate chain when the Firebox receives an IKE2 Auth payload with more than 8 certificates.
– IKE_AUTH request log message with an abnormally large CERT payload size (greater than 2000 bytes).
– During a successful exploit, the ‘iked’ process hangs, interrupting VPN connections.
– After a failed or successful exploit, the ‘iked’ process crashes and generates a fault report on the Firebox.
This disclosure follows a recent alert from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which added another critical WatchGuard Fireware OS flaw (CVE-2025-9242) to its Known Exploited Vulnerabilities catalog due to active exploitation reports.
To mitigate the risk, users are strongly advised to apply the latest updates promptly. For devices with vulnerable Branch Office VPN configurations, WatchGuard recommends:
– Disabling dynamic peer BOVPNs.
– Creating an alias that includes the static IP addresses of remote BOVPN peers.
– Adding new firewall policies that allow access from the alias.
– Disabling the default built-in policies that handle VPN traffic.
By implementing these measures, organizations can enhance their security posture and protect their networks from potential exploitation.
