WatchGuard Under Siege: Critical CVSS 9.3 Zero-Day Exploited in the Wild to Hijack Corporate Firewalls

A critical zero-day vulnerability has shattered the security perimeter of WatchGuard Firebox appliances, forcing network administrators into a race against time. Tracked as CVE-2025-14733, the flaw carries a blistering CVSS score of 9.3, allowing unauthenticated attackers to execute arbitrary code and seize control of corporate firewalls.

According to a new security advisory, “WatchGuard has observed threat actors actively attempting to exploit this vulnerability in the wild”.

The vulnerability resides in the iked process—the daemon responsible for handling Internet Key Exchange (IKEv2) negotiations for VPNs. The flaw is described as an “Out-of-bounds Write,” a type of memory corruption error that attackers can trigger remotely.

“An Out-of-bounds Write vulnerability in the WatchGuard Fireware OS iked process may allow a remote unauthenticated attacker to execute arbitrary code”.

By sending specially crafted malicious packets to the firewall’s VPN interface, an attacker can crash the service or, worse, inject their own commands with system-level privileges.

What makes this vulnerability particularly insidious is its persistence. It targets the Mobile User VPN and Branch Office VPN configurations using IKEv2. However, simply turning off the feature might not be enough.

The advisory warns of a “zombie” configuration scenario: “If the Firebox was previously configured with the mobile user VPN with IKEv2… and both of those configurations have since been deleted, that Firebox may still be vulnerable if a branch office VPN to a static gateway peer is still configured”.

This quirk means administrators who believe they have reduced their attack surface by removing dynamic VPNs may still be exposed if older static tunnels remain active.

WatchGuard has released specific Indicators of Attack (IoAs) to help defenders identify if they are already under fire.

Attackers are leaving fingerprints in the logs. A tell-tale sign of an attempted exploit involves an abnormally large certificate payload. Administrators should check their logs for the error message: “Received peer certificate chain is longer than 8. Reject this certificate chain”.

Additionally, the following IP addresses have been directly linked to the active exploitation campaign:

• 45.95.19[.]50
• 51.15.17[.]89
• 172.93.107[.]67
• 199.247.7[.]82

The vulnerability affects a wide range of Fireware OS versions, including 12.x and 2025.1. WatchGuard has released patched versions (2025.1.4, 12.11.6, and 12.5.15) and is urging immediate upgrades .

However, patching the software is only step one. Because the flaw allows for total device compromise, a patched device might still harbor stolen secrets.

“In addition to installing the latest Fireware OS that contains the fix, administrators that have confirmed threat actor activity on their Firebox appliances must take precautions to rotate all locally stored secrets,” the advisory warns. This includes pre-shared keys, passwords, and authentication certificates that may have been scraped by attackers before the patch was applied.

Related Posts:

• High-Severity WatchGuard Flaws Risk VPN DoS and RCE via IKEv2 Memory Corruption
• CVE-2025-9242: Critical WatchGuard Flaw Allows Remote Code Execution
• Critical WatchGuard Firebox Flaw (CVE-2025-59396, CVSS 9.8) Allows Unauthenticated Admin SSH Takeover via Default Credentials
• Critical WatchGuard Vulnerabilities Discovered: CVE-2024-6592 and CVE-2024-6593