125,000 WatchGuard Firebox Devices Exposed to Critical Remote Code Execution Vulnerability
A significant cybersecurity threat has emerged, affecting approximately 125,000 WatchGuard Firebox firewall devices worldwide. The Shadowserver Foundation has identified these devices as vulnerable due to a critical flaw, designated as CVE-2025-14733, which allows unauthenticated remote attackers to execute arbitrary code on unpatched systems.
Understanding the Vulnerability
The root of this vulnerability lies in an out-of-bounds write flaw within the WatchGuard Fireware OS, specifically in the IKEv2 VPN key exchange process. This flaw has been assigned a CVSS score of 9.8, indicating its severity. Exploitation requires no user interaction and can be conducted over the network without authentication, making it a potent threat.
Details of CVE-2025-14733
– CVE ID: CVE-2025-14733
– Vulnerability Type: Out-of-Bounds Write
– CVSS Score: 9.8
– Affected Component: WatchGuard Fireware OS `iked` process
– Attack Vector: Network (Unauthenticated)
Scope of Exposure
The Shadowserver Foundation’s scans have revealed that these vulnerable devices are distributed globally, with significant concentrations in North America and Europe. This widespread exposure underscores the critical nature of the threat.
Affected Configurations
The vulnerability primarily affects devices configured with:
– Mobile User VPN using IKEv2
– Branch Office VPN using IKEv2 with dynamic gateway peers
A particularly concerning scenario is the zombie configuration, where devices remain vulnerable even after the deletion of the initial VPN settings if branch-office VPN tunnels to static-gateway peers are still active.
Impacted Fireware OS Versions
The following Fireware OS versions are affected:
– 2025.1 (≤ 2025.1.3): Vulnerable; upgrade to 2025.1.4
– 12.x (≤ 12.11.5): Vulnerable; upgrade to 12.11.6
– 12.5.x: Vulnerable; upgrade to 12.5.15
– 12.3.1 (FIPS): Vulnerable; update to 12.3.1 Update 4
– 11.x: End of Life; full upgrade required
Indicators of Compromise
WatchGuard has provided specific indicators to help organizations identify potential exploitation attempts:
– IP Addresses: Four IP addresses have been linked to active exploitation attempts.
– Log Anomalies: Unusual certificate chain anomalies and IKE_AUTH payloads exceeding 2,000 bytes.
Recommended Actions
Organizations utilizing WatchGuard Firebox devices should take immediate action:
1. Update Devices: Apply the latest patches to all Firebox devices to mitigate the vulnerability.
2. Monitor Logs: Regularly review firewall logs for unusual VPN activities and the specified indicators of compromise.
3. Credential Rotation: Change all locally stored credentials on potentially compromised appliances to prevent unauthorized access.
Given the active exploitation of this vulnerability, prompt action is essential to safeguard organizational networks and data.
