WatchGuard has issued an urgent security advisory after confirming active exploitation of a critical vulnerability in its Fireware OS. The flaw affects VPN functionality and has already been observed being abused in real world attacks, prompting immediate patching recommendations for all affected customers.
The vulnerability, tracked as CVE-2025-14733, carries a CVSS score of 9.3 and is classified as an out of bounds write issue in the iked process. Successful exploitation could allow a remote unauthenticated attacker to execute arbitrary code on vulnerable devices. According to WatchGuard, the issue impacts both Mobile User VPN and Branch Office VPN configurations that rely on IKEv2, particularly when dynamic gateway peers are used.
Even systems where vulnerable VPN configurations were previously removed may still be at risk. WatchGuard noted that Firebox devices can remain exploitable if a Branch Office VPN to a static gateway peer is still configured, despite earlier deletion of dynamic peer settings.
The affected Fireware OS versions and their corresponding fixes include version 2025.1, which is patched in 2025.1.4, version 12.x fixed in 12.11.6, version 12.5.x for T15 and T35 models fixed in 12.5.15, and version 12.3.1 FIPS certified release fixed in 12.3.1 Update4 build B728352. Older 11.x releases, ranging from 11.10.2 through 11.12.4 Update1, have reached end of life and no longer receive security updates.
WatchGuard confirmed that it has detected threat actors actively attempting to exploit this flaw in the wild. The attacks have been linked to several IP addresses, including 45.95.19[.]50, 51.15.17[.]89, 172.93.107[.]67, and 199.247.7[.]82. Notably, the IP address 199.247.7.82 was also recently highlighted by Arctic Wolf as being associated with exploitation attempts targeting Fortinet products.
Earlier this week, Arctic Wolf connected the same IP to attacks abusing two critical Fortinet vulnerabilities, CVE-2025-59718 and CVE-2025-59719, affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. This overlap suggests the possibility of shared infrastructure or coordinated exploitation activity, although no definitive link has been confirmed.
To help customers assess potential compromise, WatchGuard shared multiple indicators of compromise. These include log messages indicating that a received peer certificate chain exceeds eight certificates, abnormal IKE AUTH requests with CERT payloads larger than 2000 bytes, VPN disruptions caused by the iked process hanging, and crashes of the iked service that generate fault reports on the Firebox.
The disclosure follows another recent WatchGuard incident in which the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-9242, another critical Fireware OS vulnerability, to its Known Exploited Vulnerabilities catalog due to confirmed active exploitation. At this stage, it remains unclear whether the two attack campaigns are related.
WatchGuard strongly advises all users to apply the latest security updates without delay. As a temporary mitigation for vulnerable Branch Office VPN setups, administrators are encouraged to disable dynamic peer BOVPNs, create aliases containing static IP addresses of remote peers, add explicit firewall policies for those aliases, and disable default built in VPN handling policies until full patching can be completed.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
