Another Critical Zero-Day Vulnerability in WatchGuard Firebox Firewalls
Tuesday, December 30, 2025
What
A critical out-of-bounds write vulnerability (CVE-2025-14733) in the iked process of WatchGuard Firebox firewalls allows unauthenticated remote attackers to execute arbitrary code and take control of appliances. This flaw is actively exploited, making it a zero-day, and represents a significant risk given firewalls are prime targets.
Where
Affected systems include WatchGuard Firebox firewalls running Fireware OS versions 2025.1 to 2025.1.3, 12.0 to 12.11.5, and older 11.10.2 to 11.12.4_Update1. The exploitation is global, with previous unpatched devices observed worldwide, including 23,000 in the US.
When
The vulnerability was discovered and actively exploited by cybercriminals before WatchGuard released patches on December 18th.
Key Factors
- •The zero-day vulnerability, CVE-2025-14733, is an out-of-bounds write affecting the iked process in WatchGuard Fireware OS, enabling unauthenticated remote code execution (RCE) with a CVSS score of 9.3.
- •Active exploitation began before WatchGuard's December 18th patch release, with specific IP addresses and anomalous IKE_AUTH log messages identified as strong indicators of compromise.
- •This incident follows a similar Firebox zero-day (CVE-2025-9242) in September, highlighting a recurring pattern and the persistent issue of slow patching by some customers, as seen with 71,000 unpatched devices in October.
Takeaways
- →Immediately apply the latest Fireware OS patches (versions 2025.1.4, 12.11.6, 12.5.15, 12.3.1_Update4) and verify for compromise using provided indicators, rotating all locally stored secrets if exploitation is confirmed.
- →Prioritize patching of critical network infrastructure like firewalls, as delayed updates create persistent attack surfaces, making organizations vulnerable to even older, known CVEs.
Opens original article on Le Monde Informatique
