Overview
- WatchGuard confirmed active in‑the‑wild attacks on CVE-2025-14733, an out-of-bounds write in the Fireware OS iked process that allows unauthenticated remote code execution via IKEv2 VPN.
- The vendor released fixes across branches, including 2025.1.4 for 2025.1, 12.11.6 for 12.x, and 12.5.15 for 12.5.x T15/T35, with Fireware 11.x noted as end‑of‑life.
- Indicators of compromise include specific attacker IPs (such as 45.95.19.50, 51.15.17.89, 172.93.107.67, 199.247.7.82), oversized IKEv2 CERT payloads, certificate-chain errors, and iked hangs or crashes, with guidance to rotate local secrets if compromise is suspected.
- The flaw affects IKEv2 mobile user VPN and branch office VPN with dynamic gateway peers, and devices may remain exposed even after deleting those settings if a branch office VPN to a static peer persists; WatchGuard provided a temporary BOVPN-focused workaround for those unable to patch immediately.
- CISA’s KEV listing formalizes exploitation risk and requires U.S. federal agencies to remediate by December 26, following a recent pattern of rapidly weaponized WatchGuard firewall bugs such as CVE-2025-9242.