WatchGuard Firebox, IKEv2 out-of-bounds write pre-auth RCE
An out-of-bounds write vulnerability in WatchGuard Fireware OS may allow a remote, unauthenticated attacker to execute arbitrary code. The issue affects IKEv2 VPN configurations that use dynamic gateway peers, impacting Fireware OS versions 11.10.2 through 12.11.5 and 2025.1 through 2025.1.3. Successful exploitation can lead to remote code execution on the Firebox appliance.
Overview
CVE-2025-14733 is a critical out-of-bounds write vulnerability in WatchGuard Fireware OS, the operating system powering WatchGuard Firebox firewalls. A remote, unauthenticated attacker may exploit it to execute arbitrary code on the appliance. The flaw affects IKEv2 VPN configurations that use dynamic gateway peers, covering both the mobile user VPN and branch office VPN scenarios. NVD published the record on December 18, 2025, and CISA added it to the Known Exploited Vulnerabilities catalog on December 19, 2025, after WatchGuard confirmed active exploitation. The Shadowserver Foundation observed roughly 125,000 internet-exposed Firebox devices.
Technical Details
The weakness is CWE-787 (out-of-bounds write). When a Firebox is configured for IKEv2 VPN with a dynamic gateway peer, specially crafted traffic to the IKEv2 service can trigger a memory write outside the bounds of the intended buffer, corrupting memory in a manner that an attacker can leverage for code execution. No authentication or user interaction is required. The NVD primary (NIST) assessment is CVSS 3.1 with a base score of 9.8 and vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H; WatchGuard, as the CNA, assigned a CVSS 4.0 base score of 9.3.
Impact
- Unauthenticated remote code execution on the Firebox firewall.
- Full compromise of the network perimeter device and its policy enforcement.
- Interception or manipulation of VPN traffic and credentials.
- Use of the firewall as a launch point for deeper network intrusion.
Mitigation
- Upgrade Fireware OS to a fixed release outside the affected ranges, per WatchGuard's advisory (versions 11.10.2 through 12.11.5 and 2025.1 through 2025.1.3 are vulnerable).
- As an interim measure, if IKEv2 with a dynamic gateway peer is not required, reconfigure the VPN to remove the dynamic gateway peer configuration following WatchGuard's guidance.
- Restrict exposure of the VPN service to the public internet where operationally feasible.
- After upgrading, review the appliance for indicators of compromise and rotate credentials.
Detection
Review Fireware logs for abnormal IKEv2 negotiation activity, service crashes, or unexpected restarts associated with the VPN subsystem. Identify whether any Firebox is configured for IKEv2 with dynamic gateway peers, as only those configurations are exploitable. Monitor for anomalous outbound connections from the appliance and for unexpected configuration changes. CISA added CVE-2025-14733 to the Known Exploited Vulnerabilities catalog on December 19, 2025, with a remediation due date of December 26, 2025.