WatchGuard reports active exploitation of critical Firebox RCE flaw

Threat summary

On December 18, 2025, WatchGuard addressed a critical vulnerability affecting Firebox firewall appliances running Fireware operating system (OS). The next day, WatchGuard updated its security advisory to confirm that the vulnerability is being actively exploited in the wild.

WatchGuard Firebox is a widely deployed firewall and VPN appliance used to secure perimeter networks, with Fireware OS providing VPN, intrusion prevention, and traffic filtering capabilities.

The flaw, tracked as CVE-2025-14733, resides in the Internet Key Exchange version 2 (IKEv2) VPN component. Specifically, it’s within the IKED process, a daemon that implements the IKEv2 protocol to establish and maintain secure Internet Protocol Security (IPSec) tunnels. Devices are vulnerable if configured with either mobile user VPN or branch office VPN using IKEv2 with a dynamic gateway peer. Notably, even if these configurations have been deleted, systems may remain exposed if a branch office VPN to a static gateway peer is still active.

Exploitation could allow threat actors to gain shell access, extract locally stored secrets including VPN credentials, and intercept or decrypt VPN traffic. This creates risk of lateral movement, persistence, and data exfiltration. Exploitation is not technically complex, requiring only crafted IKEv2 packets sent over the network. The vulnerability has been assigned a CVSS score of 9.3.

WatchGuard recommends immediately installing the patched Fireware OS versions released on December 18, 2025. Organizations should also audit all Firebox appliances for residual IKEv2 dynamic gateway configurations and rotate locally stored secrets if compromise is suspected.

Insights & mitigations

Immediate patching remains the most effective remediation for CVE-2025-14733, alongside credential rotation and a thorough configuration review, to prevent full device compromise and potential network intrusion.

For environments unable to patch immediately, disabling IKEv2 VPN configurations can serve as a temporary mitigation. Branch Office VPN tunnels using static gateway peers can continue to operate securely when configured in accordance with WatchGuard’s IPSec/IKEv2 guidance. Organizations should also monitor for anomalous VPN activity and review logs for indicators of compromise published by WatchGuard.

Dynamic gateway peers are commonly used in WatchGuard Firebox deployments, particularly for Mobile User VPNs and Branch Office VPNs where the remote endpoint lacks a fixed IP address. While these configurations simplify VPN connectivity, they also expand the attack surface by allowing the firewall to accept negotiation attempts from any IP. As a result, these configurations make vulnerabilities such as CVE-2025-14733 particularly dangerous.

Field Effect MDR users would be alerted via ARO if Fireware OS instances vulnerable to CVE‑2025‑14733 were found. Field Effect MDR detects exploitation attempts, monitors VPN traffic for anomalies, and enables rapid response to contain compromise to reduce the risk of actively exploited perimeter vulnerabilities.

The Field Effect security intelligence team integrates business context with curated intelligence feeds to deliver vulnerability analysis tailored to each client environment. Indicators of compromise associated with this campaign are applied swiftly to enhance behavioral detection and strengthen response capabilities.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up