Threat Actors Exploit Zero-Day in WatchGuard Firebox Devices
Summary
A critical zero-day (CVE-2025-14733) in WatchGuard Firebox firewalls is being actively exploited in the wild. The flaw is an out-of-bounds write in Fireware OS that can lead to remote code execution via the IKED (Internet Key Exchange Daemon) process. WatchGuard disclosed the issue following an internal investigation, issued patches on 18 December, and provided indicators of compromise and a temporary workaround for some configurations.
WatchGuard and CISA have flagged the vulnerability; CISA added it to its Known Exploited Vulnerabilities (KEV) catalogue. Shadowserver scans show roughly 125,000 potentially vulnerable Firebox devices worldwide, with over 35,000 in the US, underlining the scale of exposure.
Key Points
- CVE-2025-14733 is a critical out-of-bounds write in Fireware OS allowing remote code execution via IKED.
- Affected versions include Fireware OS 11.10.2 (and some updates), 12.0+, and 2025.1+ when certain IKEv2 VPN configurations exist or previously existed.
- WatchGuard released a patch on 18 December and published IoCs (four IP addresses) and a temporary workaround for specific static gateway configurations.
- CISA added the vulnerability to its KEV catalogue, confirming active exploitation by threat actors as part of a wider campaign against edge networking equipment.
- Shadowserver reported ~125,000 potentially vulnerable Firebox IPs globally, highlighting a significant attack surface.
- Signs of compromise include IKED process hangs and unusual outbound connections to the listed malicious IPs; existing VPN tunnels may continue to carry traffic despite an exploit attempt.
Context and Relevance
This incident follows a recent wave of zero-day attacks targeting edge devices from multiple vendors (for example SonicWall and Fortinet), showing attackers increasingly focus on exposed network infrastructure. For organisations running Firebox appliances, the combination of an actively exploited zero-day, inclusion in CISA’s KEV list, and large numbers of vulnerable devices scanned on the internet makes this a high-priority remediation item.
Network teams, SOCs and security ops should treat this as part of an industry-wide trend: edge devices are high-value targets because compromising them can yield persistent access, traffic interception and lateral movement opportunities.
Why should I read this?
Short version: patch now. If you manage Firebox kit (or any edge kit), this story tells you there’s a live exploit, a CISA KEV entry, and a big pool of vulnerable devices out there. We skimmed the technical bits and flagged the indicators and workaround so you can act fast and stop the headache.
Author’s take
Punchy and to the point: this is urgent. WatchGuard’s advisory and CISA listing mean you shouldn’t wait for scheduled maintenance windows—assess, patch, or apply the workaround immediately. If you run Firebox appliances, treat this as critical hygiene: confirm configs, check IKED behaviour, and scan for outbound connections to the IoCs WatchGuard published.