Pierluigi Paganini December 20, 2025

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a WatchGuard Fireware OS flaw to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a WatchGuard Firebox OS vulnerability, tracked as CVE-2025-14733 (CVSS Score of 9.3), to its Known Exploited Vulnerabilities (KEV) catalog.

This flaw is a critical out-of-bounds write vulnerability in WatchGuard Fireware OS that can be exploited remotely and without authentication.

When IKEv2 VPN services (Mobile User VPN or Branch Office VPN) are configured with a dynamic gateway peer, specially crafted network traffic can trigger improper memory handling. As a result, an attacker can write data outside the intended memory bounds, potentially leading to arbitrary code execution on the affected device.

The vulnerability impacts multiple Fireware OS branches, including versions 11.10.2–11.12.4_Update1, 12.0–12.11.5, and 2025.1–2025.1.3, putting exposed VPN gateways at high risk of full compromise.

“An Out-of-bounds Write vulnerability in the WatchGuard Fireware OS iked process may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer,” reads the advisory published by WatchGuard.

“If the Firebox was previously configured with the mobile user VPN with IKEv2 or a branch office VPN using IKEv2 to a dynamic gateway peer, and both of those configurations have since been deleted, that Firebox may still be vulnerable if a branch office VPN to a static gateway peer is still configured.”

WatchGuard has released detailed Indicators of Attack (IoAs) and mitigation guidance to help customers detect and reduce the risk of exploitation of this vulnerability.

WatchGuard identified several signals that may indicate exploitation attempts or compromise on vulnerable Firebox appliances:

• Suspicious IP addresses: Outbound connections to known malicious IPs (e.g., 45.95.19[.]50, 51.15.17[.]89, 172.93.107[.]67, 199.247.7[.]82) are strong indicators of compromise. Inbound traffic from these IPs may indicate scanning or exploit attempts.
• Log anomalies:
  • Errors indicating an invalid or unusually long peer certificate chain (more than 8 certificates) in IKEv2 authentication are a medium-confidence attack indicator.
  • IKE_AUTH requests with abnormally large CERT payloads (over 2000 bytes) are considered a strong indicator of exploitation attempts.
• Abnormal device behavior:
  • An IKED process hang, disrupting VPN negotiations and re-keying, is a strong sign of a successful exploit.
  • An IKED process crash and fault report may also occur, though this is a weaker indicator as crashes can have other causes.

Administrators who detect suspicious activity are advised to rotate all locally stored secrets on affected Firebox devices after updating.

If immediate patching is not possible, and the Firebox is only using Branch Office VPNs with static gateway peers, the vendor recommends temporarily following its best practices for securing IPSec/IKEv2 Branch Office VPNs. This workaround reduces exposure but does not replace the need to install the official fix as soon as possible.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerabilities by December 26, 2025.

The HackerNews noted that the IP address “199.247.7[.]82” that is listed in the advisory was also flagged by cybersecurity firm Arctic Wolf earlier this week as linked to the exploitation of two recently disclosed flaws in Fortinet FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager (CVE-2025-59718 and CVE-2025-59719, CVSS scores: 9.8).

In November, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added another WatchGuard Firebox flaw, tracked as CVE-2025-9242, to the Kev catalog.

In mid-October, researchers revealed details of the critical vulnerability CVE-2025-9242 (CVSS score of 9.3) in WatchGuard Fireware. An unauthenticated attacker can exploit the flaw to execute arbitrary code. The vulnerability is an out-of-bounds write issue that affects Fireware OS versions 11.10.2–11.12.4_Update1, 12.0–12.11.3, and 2025.1.

“An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer.” reads the advisory. “This vulnerability affects Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3 and 2025.1.”

The vendor states that a WatchGuard Fireware OS iked process flaw allows remote unauthenticated attackers to execute arbitrary code via an out-of-bounds write vulnerability. The vulnerability impacts Firebox devices using IKEv2 for mobile user or branch office VPNs with dynamic gateways. The company pointed out that even if those VPNs were deleted, devices remain at risk if a branch office VPN to a static gateway is still configured.

The flaw lets unauthenticated attackers execute arbitrary code on a perimeter appliance by targeting the IKEv2 VPN service, an Internet-exposed entry point, making the bug reachable before authentication, as per watchTowr researchers.

This vulnerability ticks all the boxes ransomware actors crave: remote code execution on a perimeter device, exposure via a public-facing VPN service, and pre-auth exploitability, making it a high-priority target for exploitation and urgent to patch.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)