WatchGuard on Dec. 18 advised customers to patch an actively exploited remote code execution (RCE) flaw in its Firebox firewall appliances.In its advisory, WatchGuard said the flaw — CVE-2025-14733, an out-of-bounds write bug in the WatchGuard Fireware OS IKEv2 process — may let a remote unauthenticated attacker execute arbitrary code.The vendor said the critical CVSS 9.3 flaw affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer.Jason Soroko, senior fellow at Sectigo, said the persistence of CVE-2025-14733 highlighted a fundamental challenge in firmware security in which configuration remnants can leave an attack surface active despite administrative efforts to close it. Because this out-of-bounds write flaw resides within the IKEv2 processing logic, Soroko said it’s not enough to simply delete the VPN server entry from the dashboard.Residual configurations tied to static gateway peers for branch office connections may still trigger the vulnerable code path, explained Soroko. This creates a dangerous "ghost" vulnerability where IT teams believe they have mitigated the risk through policy changes while the underlying service remains exposed to unauthenticated, low-complexity remote code execution.“Technical teams must prioritize immediate firmware updates rather than relying on configuration workarounds,” said Soroko. “Administrators should conduct a thorough audit of all branch office VPN settings and static gateway assignments to ensure no legacy links remain. Moving forward, this incident serves as a clear reminder that patching remains the only definitive solution for critical flaws in core network appliances.”T. Frank Downs, senior director of proactive services at BlueVoyant, added that even if it deletes mobile VPN/IKEv2, any security team facing this vulnerability should approach it comprehensively and should immediately update all WatchGuard Firebox devices to the vendor’s fixed software and plan to retire any 11.x (end‑of‑life) units.Downs said while updates are under way, teams should limit VPN access on the firewall to known, trusted partners only and turn off any default rules that automatically allow VPN traffic. Even if they’ve removed mobile VPN settings, Downs said they may still be exposed if any site‑to‑site VPN tunnel remains — so verify and tighten those configurations.“At the same time, watch for warning signs like unexpected firewall crashes, dropped VPN connections, or unusual traffic, and review connections to IP addresses WatchGuard flagged in its advisory,” Downs said. “If anything looks suspicious, teams should change all shared keys and admin passwords on the device and remove leftover settings that could keep the VPN service active unintentionally."
Exposure management, Threat Management, Firewalls, Routers, Vulnerability Management, Patch/Configuration Management
WatchGuard: Patch exploited 9.3 flaw in Firebox firmware
(Adobe Stock)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds