cbcvebase.
CVE-2025-14733
published 2025-12-19

CVE-2025-14733: An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability…

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2025-12-26
Exploited in the wild
EPSS
18.05%
96.8th percentile
An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer.This vulnerability affects Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.5 and 2025.1 up to and including 2025.1.3.

Affected

7 ranges
VendorProductVersion rangeFixed in
watchguardfireware>= 11.10.2 < 12.5.1512.5.15
watchguardfireware>= 11.10.2 < 12.11.612.11.6
watchguardfireware>= 2025.1 < 2025.1.42025.1.4
watchguardfireware_os11.10.2 – 11.12.4+541730
watchguardfireware_os12.0 – 12.11.5
watchguardfireware_os12.5 – 12.5.14
watchguardfireware_os2025.1 – 2025.1.3

Detection & IOCsextracted from sources · hover to see the quote

processiked
  • CVE-2025-14733 is actively exploited in the wild against WatchGuard Firebox devices running Fireware OS 11.x, 12.x, and 2025.1 via IKEv2 VPN (Mobile User VPN with IKEv2 or Branch Office VPN with dynamic gateway peer); monitor IKEv2 traffic to Firebox appliances for anomalous unauthenticated RCE attempts.
  • WatchGuard has published indicators of compromise (IoCs) for CVE-2025-14733; customers should consult the WatchGuard advisory and rotate all locally stored secrets on any Firebox appliance showing signs of compromise.
  • As a temporary workaround where patching is not immediately possible, disable dynamic peer BOVPNs, add new firewall policies, and disable the default system policies that handle VPN traffic to reduce attack surface.
  • ·Vulnerability is only exploitable via IKEv2 VPN (Mobile User VPN with IKEv2 or Branch Office VPN with dynamic gateway peer); devices not configured for IKEv2 are not directly vulnerable via the primary attack vector.
  • ·Affected Fireware OS versions span a wide range: 11.10.2 through 11.12.4_Update1, 12.0 through 12.11.5, and 2025.1 through 2025.1.3 — ensure version checks cover all three branches.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Red
vulncheck9.3CRITICAL
cisa9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.