On December 18, 2025,??released fixes for CVE-2025-14733, a critical out-of-bounds?write vulnerability in the Internet Key Exchange daemon (iked) process used to?establish?VPN tunnels in?Fireware?OS, which powers Firebox?firewall?appliances. Exploitation of this vulnerability allows a remote, unauthenticated threat actor to execute arbitrary code. WatchGuard has confirmed in-the-wild exploitation in their advisory.?
This vulnerability affects mobile user VPN configurations that use IKEv2, as well as branch office VPNs using IKEv2 when configured with a dynamic gateway peer. Even configurations with static peers that previously used dynamic peers may be affected.?
While Arctic Wolf is not aware of a publicly available proof-of-concept exploit at the time of writing, threat actors are likely to continue opportunistic exploitation. In September, a similarly severe WatchGuard out-of-bounds write vulnerability (CVE-2025-9242) was??shortly after public disclosure.?
Recommendations for CVE-2025-14733
Upgrade?Fireware?OS to Fixed Version
Arctic Wolf?strongly recommends?that customers upgrade?Fireware?OS to the latest fixed version as soon as possible.?
In addition to installing the latest Fireware OS that includes the fix, it is also recommended that?all locally stored secrets?on vulnerable Firebox appliances are rotated, as described in WatchGuard¡¯s?.?
Rotation of secrets is a?crucial step when a network appliance is confirmed to be vulnerable, as Arctic Wolf has previously observed credential access campaigns where VPN appliances were quietly compromised before patches were applied, with credentials harvested during that initial access. Those stolen secrets are sometimes?reused months or even years?after the underlying vulnerability has been patched. Because?logging on?edge devices can be limited, initial compromise may not be detectable even when credential extraction has already occurred.?
| Product? | Affected Version? | Fixed Version? |
| Firebox (Fireware?OS)? | 2025.1? | 2025.1.4? |
| 12.x? | 12.11.6? | |
| 12.5.x (T15 & T35 models)? | 12.5.15? | |
| 12.3.1 (FIPS-certified release)? | 12.3.1_Update4 (B728352)? | |
| 11.x? | End of Life? |
Note: A Firebox may still be vulnerable if a branch office VPN to a static gateway remains configured, even if mobile user VPNs with IKEv2 or branch office VPNs to dynamic gateways have been deleted.?
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.?
Workaround (Optional)
For users who are unable to?immediately?upgrade their Firebox, WatchGuard recommends following their guidance for??as a temporary workaround. This workaround is only applicable when the Firebox is configured solely with branch office VPN tunnels to static gateway peers.??
References?
