A critical security warning has been issued by WatchGuard, highlighting an active exploitation of a severe vulnerability in their Fireware OS VPN system. This vulnerability, tracked as CVE-2025-14733, carries a high CVSS score of 9.3, indicating its potential impact and urgency. The flaw, an out-of-bounds write issue affecting the iked process, could allow remote attackers to execute arbitrary code, posing a significant threat to affected systems.
The vulnerability impacts several versions of Fireware OS, including 2025.1, 12.x, 12.5.x (T15 & T35 models), 12.3.1 (FIPS-certified release), and 11.x, which is now end-of-life. WatchGuard has released fixes for these versions, with the latest updates being 2025.1.4, 12.11.6, 12.5.15, 12.3.1Update4 (B728352), and 11.12.4Update1 respectively. It's crucial for users to apply these updates promptly to protect their systems.
What's concerning is that WatchGuard has observed threat actors actively attempting to exploit this vulnerability in the wild. The attacks have been traced back to specific IP addresses, including 45.95.19[.]50, 51.15.17[.]89, 172.93.107[.]67, and 199.247.7[.]82. Interestingly, the IP address 199.247.7[.]82 has also been linked to the exploitation of recently disclosed security flaws in Fortinet's FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager (CVE-2025-59718 and CVE-2025-59719). This raises questions about the potential connection between these attacks and the involvement of a sophisticated threat actor.
To help users identify if their systems have been compromised, WatchGuard has shared multiple indicators of compromise (IoCs). These include log messages indicating an excessive number of certificates in an IKE2 Auth payload, abnormally large CERT payload sizes in IKE_AUTH requests, and the interruption of VPN connections due to the iked process hanging. After a failed or successful exploit, the IKED process will crash, generating a fault report on the Firebox.
This disclosure comes just over a month after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added another critical WatchGuard Fireware OS flaw (CVE-2025-9242) to its Known Exploited Vulnerabilities (KEV) catalog due to reports of active exploitation. It's currently unclear if these two sets of attacks are related, but users are strongly advised to apply the necessary updates to mitigate the threat.
For temporary mitigation, WatchGuard recommends that administrators disable dynamic peer BOVPNs, create an alias with static IP addresses of remote BOVPN peers, add new firewall policies to allow access from the alias, and disable the default built-in policies that handle VPN traffic. These steps should be taken immediately for devices with vulnerable Branch Office VPN (BOVPN) configurations.
Stay informed and secure by following us on Google News, Twitter, and LinkedIn for more exclusive content and updates on critical security issues.
