CVE-2025-14733
published 2025-12-19CVE-2025-14733: An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability…
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2025-12-26
Exploited in the wild
EPSS
18.05%
96.8th percentile
An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer.This vulnerability affects Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.5 and 2025.1 up to and including 2025.1.3.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| watchguard | fireware | >= 11.10.2 < 12.5.15 | 12.5.15 |
| watchguard | fireware | >= 11.10.2 < 12.11.6 | 12.11.6 |
| watchguard | fireware | >= 2025.1 < 2025.1.4 | 2025.1.4 |
| watchguard | fireware_os | 11.10.2 – 11.12.4+541730 | — |
| watchguard | fireware_os | 12.0 – 12.11.5 | — |
| watchguard | fireware_os | 12.5 – 12.5.14 | — |
| watchguard | fireware_os | 2025.1 – 2025.1.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2025-14733 is actively exploited in the wild against WatchGuard Firebox devices running Fireware OS 11.x, 12.x, and 2025.1 via IKEv2 VPN (Mobile User VPN with IKEv2 or Branch Office VPN with dynamic gateway peer); monitor IKEv2 traffic to Firebox appliances for anomalous unauthenticated RCE attempts. ↗
- →WatchGuard has published indicators of compromise (IoCs) for CVE-2025-14733; customers should consult the WatchGuard advisory and rotate all locally stored secrets on any Firebox appliance showing signs of compromise. ↗
- →As a temporary workaround where patching is not immediately possible, disable dynamic peer BOVPNs, add new firewall policies, and disable the default system policies that handle VPN traffic to reduce attack surface. ↗
- ·Vulnerability is only exploitable via IKEv2 VPN (Mobile User VPN with IKEv2 or Branch Office VPN with dynamic gateway peer); devices not configured for IKEv2 are not directly vulnerable via the primary attack vector. ↗
- ·Affected Fireware OS versions span a wide range: 11.10.2 through 11.12.4_Update1, 12.0 through 12.11.5, and 2025.1 through 2025.1.3 — ensure version checks cover all three branches. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Red
vulncheck9.3CRITICAL
cisa9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
WatchGuard Firebox Out of Bounds Write Vulnerability
cisa·2025-12-19·CVSS 9.3
CVE-2025-14733 [CRITICAL] CWE-787 WatchGuard Firebox Out of Bounds Write Vulnerability
Vulnerability: WatchGuard Firebox Out of Bounds Write Vulnerability
Affected: WatchGuard Firebox
WatchGuard Fireware OS iked process contains an out of bounds write vulnerability in the OS iked process. This vulnerability may allow a remote unauthenticated attacker to execute arbitrary code and affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: Check for signs of potential compromise on all internet accessible instances after applying mitigations. For more information please see: https://www.watchguard.com/wgrd-psirt/advisory
GHSA
GHSA-hv82-jj64-jf47: An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code
ghsa_unreviewed·2025-12-19
CVE-2025-14733 [CRITICAL] CWE-787 GHSA-hv82-jj64-jf47: An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code
An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer.This vulnerability affects Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.5 and 2025.1 up to and including 2025.1.3.
VulnCheck
WatchGuard Firebox Out of Bounds Write Vulnerability
vulncheck·2025·CVSS 9.3
CVE-2025-14733 [CRITICAL] CWE-787 WatchGuard Firebox Out of Bounds Write Vulnerability
WatchGuard Firebox Out of Bounds Write Vulnerability
WatchGuard Fireware OS iked process contains an out of bounds write vulnerability in the OS iked process. This vulnerability may allow a remote unauthenticated attacker to execute arbitrary code and affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer.
Affected: WatchGuard Firebox
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://arcticwolf.com/resources/blog/cve-2025-14733/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.watchguard.com/wgrd-psirt/ad
No detection rules found.
No public exploits indexed.
Wiz
Crying Out Cloud Monthly Newsletter - January 2026 | Wiz
blogs_wiz·2026-01-22·CVSS 8.7
CVE-2025-55182 [HIGH] Crying Out Cloud Monthly Newsletter - January 2026 | Wiz
Welcome back! In this edition, we bring you the latest in cloud security: noteworthy incidents, exclusive data, and crucial vulnerabilities. Let’s jump in.
## 🔍 Highlights
React2Shell: Critical RCE Vulnerability in React and Next.js
React2Shell (CVE-2025-55182) is a critical, unauthenticated remote code execution vulnerability rooted in insecure deserialization within the React Server Components (RSC) “Flight” protocol, impacting React 19 and RSC-enabled frameworks, most notably Next.js. The flaw affects default configurations, meaning standard production deployments can be exploited with a single crafted HTTP request and no developer misconfiguration, with exploitation demonstrating near-100% reliability.
Since early December 2025, exploitation has been observed in the wild by multipl
Checkpoint
22nd December – Threat Intelligence Report
blogs_checkpoint·2025-12-22
CVE-2025-37164 22nd December – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 22nd December – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 22nd December, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
An adult content platform PornHub has disclosed a data breach linked to analytics provider Mixpanel. The breach exposed more than 200 million records related to Premium users, including email addresses, search, watch, and download histories, locations, and associated video details collected prior to 2021. Pornhub stated
Bleepingcomputer
Critical RCE flaw impacts over 115,000 WatchGuard firewalls
blogs_bleepingcomputer·2025-12-22·CVSS 9.3
CVE-2025-14733 [CRITICAL] Critical RCE flaw impacts over 115,000 WatchGuard firewalls
## Critical RCE flaw impacts over 115,000 WatchGuard firewalls
## Sergiu Gatlan
Over 115,000 WatchGuard Firebox devices exposed online remain unpatched against a critical remote code execution (RCE) vulnerability actively exploited in attacks.
The security flaw, tracked as CVE-2025-14733 , affects Firebox firewalls running Fireware OS 11.x and later (including 11.12.4_Update1), 12.x or later (including 12.11.5), and 2025.1 up to and including 2025.1.3.
Successful exploitation enables unauthenticated attackers to execute arbitrary code remotely on vulnerable devices, following low-complexity attacks that don't require user interaction.
As WatchGuard explained in a Thursday advisory, when it released CVE-2025-14733 security updates and tagged it as exploited in the wild, unpatched Fireb
Bleepingcomputer
New critical WatchGuard Firebox firewall flaw exploited in attacks
blogs_bleepingcomputer·2025-12-19·CVSS 9.3
CVE-2025-14733 [CRITICAL] New critical WatchGuard Firebox firewall flaw exploited in attacks
## New critical WatchGuard Firebox firewall flaw exploited in attacks
## Sergiu Gatlan
WatchGuard has warned customers to patch a critical, actively exploited remote code execution (RCE) vulnerability in its Firebox firewalls.
Tracked as CVE-2025-14733 , this security flaw affects firewalls running Fireware OS 11.x and later (including 11.12.4_Update1), 12.x or later (including 12.11.5), and 2025.1 up to and including 2025.1.3.
The vulnerability is due to an out-of-bounds write weakness that enables unauthenticated attackers to execute malicious code remotely on unpatched devices, following successful exploitation in low-complexity attacks that don't require user interaction.
While unpatched Firebox firewalls are only vulnerable to attacks if configured to use IKEv2 VPN, WatchGuard no
Recorded Future
December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity
blogs_recorded_future·CVSS 7.8
CVE-2025-55182 [HIGH] December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity
# December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity
December 2025 witnessed a dramatic 120% increase in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 22 vulnerabilities requiring immediate remediation, up from 10 in November. The month was dominated by widespread exploitation of Meta's React Server Components flaw.
What security teams need to know:
- React2Shell pandemonium: CVE-2025-55182 triggered a global exploitation wave with multiple threat actors deploying diverse malware families
- China-nexus exploitation intensifies: Earth Lamia, Jackpot Panda, and UAT-9686 leveraged critical flaws for espionage operations
- Public exploits proliferate: Eleven of 22 vulnerabilities have proof-of-conce
Wiz
CVE-2025-14733 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2025-14733 [CRITICAL] CVE-2025-14733 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14733 :
WatchGuard Firebox vulnerability analysis and mitigation
An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer.This vulnerability affects Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.5 and 2025.1 up to and including 2025.1.3.
Source : NVD
## 9.3
Score
Published December 19, 2025
Severity CRITICAL
CNA Score 9.3
High-profile Vulnerability Yes
Affected Technologies
WatchGuard Firebox
Has Public Exploit Yes
Has CISA KEV Exploit Yes
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation P
Wiz
CVE-2026-3343 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-3343 [CRITICAL] CVE-2026-3343 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3343 :
WatchGuard Firebox vulnerability analysis and mitigation
A reflected cross-site scripting (XSS) vulnerability in the Fireware OS Web UI enabled execution of malicious JavaScript in the context of an authenticated management user's browser when they click on a specially crafted link.
This vulnerability affects Fireware OS 12.7 up to and including 12.11.7 and 2025.1 up to and including 2026.1.1.
Source : NVD
## 5.1
Score
Published March 3, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
WatchGuard Firebox
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:o:watchguard:fireware
S
Wiz
CVE-2026-3344 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-3344 [CRITICAL] CVE-2026-3344 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3344 :
WatchGuard Firebox vulnerability analysis and mitigation
A vulnerability in WatchGuard Fireware OS may allow an attacker to bypass the Fireware OS filesystem integrity check and maintain limited persistence via a maliciously-crafted firmware update package.This issue affects Fireware OS 12.0 up to and including 12.11.7, 12.5.9 up to and including 12.5.16, and 2025.1 up to and including 2026.1.1.
Source : NVD
## 6.9
Score
Published March 3, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
WatchGuard Firebox
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:o:watchguard:fireware
Wiz
CVE-2026-3342 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-3342 [CRITICAL] CVE-2026-3342 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3342 :
WatchGuard Firebox vulnerability analysis and mitigation
An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow an authenticated privileged administrator to execute arbitrary code with root permissions via an exposed management interface.
This vulnerability affects Fireware OS 11.9 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.7 and 2025.1 up to and including 2026.1.1.
Source : NVD
## 8.6
Score
Published March 3, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
WatchGuard Firebox
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 32.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:o:watchguar
2025-12-19
Published
2025-12-19
Added to CISA KEV
Exploited in the wild