Perimeter Breach: Critical Zero-Day CVE-2025-14733 Exploited to Hijack WatchGuard Firewalls

WatchGuard has warned customers of a critical vulnerability in its Firebox firewalls that is already being actively exploited in real-world attacks. The flaw is a remote code execution vulnerability that allows attackers to seize control of a device without any authentication or user interaction. The company is strongly urging customers to install security updates as soon as possible.

The issue is tracked as CVE-2025-14733 and affects a broad range of Fireware OS versions. Impacted releases include the 11.x branch starting from 11.12.4 Update1, all 12.x versions up to and including 12.11.5, as well as the 2025.1 series through version 2025.1.3. The vulnerability stems from improper data handling that leads to an out-of-bounds memory write, effectively giving attackers a direct path to executing arbitrary code on unprotected devices.

Exploitation requires no complex conditions. According to WatchGuard, the attacks are low in complexity and do not require any action from administrators or users; simple network access to the vulnerable component is sufficient. Configuration details are particularly important: a Firebox device becomes vulnerable when it uses an IKEv2-based VPN. Even so, removing the problematic settings does not always fully eliminate the risk.

WatchGuard specifically notes that exposure may persist even after mobile IKEv2 VPNs or site-to-site tunnels with dynamic peers have been removed. If a branch office VPN using IKEv2 and a static gateway remains active, the device may still be compromised. These residual configurations, the company warns, can create a dangerous illusion of security.

WatchGuard has confirmed that it is observing active exploitation of CVE-2025-14733 in the wild. This indicates that the vulnerability is already part of attackers’ toolkits, and any delay in applying patches significantly increases the risk of a full network perimeter breach. For organizations unable to deploy updates immediately, WatchGuard has proposed temporary mitigation measures, including disabling site-to-site VPNs with dynamic peers, adding supplemental firewall rules, and deactivating default system policies that process VPN traffic.

The list of affected devices spans dozens of models. Within the Fireware OS 12.5.x branch, the T15 and T35 are vulnerable. In the 2025.1.x line, at-risk models include the T115-W, T125, T125-W, T145, T145-W, and T185. The most extensive impact is seen across Fireware OS 12.x, ranging from compact models such as the T20 and T25 to higher-end M-series devices, including the M270, M290, M370, M390, M470, M570, M590, M670, and M690, as well as large-scale platforms like the M440, M4600, M4800, M5600, and M5800. Virtual and cloud-based products are also affected, including Firebox Cloud, Firebox NV5, and FireboxV.

In addition to releasing patches, WatchGuard has published indicators of compromise to help administrators determine whether their devices have already been targeted. If suspicious activity is detected, the company recommends immediately rotating all locally stored secrets on affected devices, including keys and passwords.

This incident fits into a troubling pattern of similar vulnerabilities. In September, WatchGuard addressed a nearly identical remote code execution flaw tracked as CVE-2025-9242. Within a month, researchers at Shadowserver identified more than 75,000 unpatched Firebox devices exposed to attack, primarily across North America and Europe. Several weeks later, the U.S. Cybersecurity and Infrastructure Security Agency classified the vulnerability as actively exploited and mandated urgent remediation across federal agencies.

A comparable situation occurred two years earlier, when CISA required U.S. government organizations to address another actively exploited WatchGuard vulnerability, CVE-2022-23176, affecting Firebox and XTM devices. History appears to be repeating itself, and the current case once again underscores how dangerous delays in patching perimeter security equipment can be.

Today, WatchGuard solutions protect the networks of more than 250,000 small and medium-sized businesses worldwide, supported by an ecosystem of over 17,000 service providers and resellers. This scale of deployment makes every such vulnerability especially critical: a single unpatched device can become an entry point into thousands of corporate networks.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy