WatchGuard Fireware OS Under Targeted Attack

Published Date: December 22, 2025
Category: ShadowOpsIntel
Share:

An Out-of-Bounds Write vulnerability in the iked process of WatchGuard Fireware OS could allow remote unauthenticated attackers to execute arbitrary code. The flaw affects both mobile user VPNs with IKEv2 and branch office VPNs using IKEv2 when configured with dynamic gateway peers. Even if such configurations were removed, devices may remain vulnerable if any branch office VPNs using static gateway peers still exist. WatchGuard has observed active exploitation attempts of this vulnerability in the wild.

Severity: Critical

Vulnerability Details

  • CVE ID: CVE-2025-14733
  • CVSS Score: 9.3
  • Description: The flaw exists in the iked (IKE daemon) component of Fireware OS, responsible for handling IKEv2 VPN negotiations. An Out-of-Bounds Write condition can occur when the iked process improperly handles malformed IKEv2 authentication payloads. Exploiting this issue can lead to remote code execution (RCE) or process crashes, disrupting VPN connectivity and potentially compromising the appliance.
  • Attack Vector: Network-based, no authentication required
  • Impact: Full remote code execution or DoS (via process hang/crash)

Affected Products & Versions

Product BranchProduct List
Fireware OS 12.5.xT15, T35
Fireware OS 2025.1.xT115-W, T125, T125-W, T145, T145-W, T185
Fireware OS 12.xT20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV

Versions: Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.5 and 2025.1 up to and including 2025.1.3.

The vulnerability affects both:

  • Mobile user VPNs with IKEv2, and
  • Branch office VPNs with dynamic gateway peers

Even systems that previously had such configurations but now only use static peers may remain vulnerable if remnants of prior configurations persist.

Indicators Of Attack (IOAs)

  1. Outbound connections to or inbound traffic from the following IPs are indicators of compromise:
    45.95.19[.]50, 51.15.17[.]89, 172.93.107[.]67, 199.247.7[.]82
  2. Abnormal log messages:
    • “Received peer certificate chain is longer than 8” – medium-level indicator.
    • “IKE_AUTH request” message with CERT payload size >2000 bytes – strong indicator of attack.
  3. Process behavior:
    • iked process hangs (VPN negotiations freeze) – strong indicator.
    • iked process crashes – weaker but possible sign of exploitation.

Recommendations

  1. Upgrade Firebox appliances to the fixed Fireware OS versions.
  2. If compromise is suspected, rotate all local secrets (VPN keys, admin credentials) following WatchGuard’s best-practice guide.
  3. If immediate patching is not feasible, apply WatchGuard’s guidance for Secure Access to Branch Office VPNs using IKEv2/IPSec as an interim control.
  4. Restrict inbound IKEv2 traffic to trusted IPs. Disable dynamic gateway peers if not required.
  5. Monitor for abnormal IKEv2 payload sizes and certificate chains.
  6. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/7d82eff4e04139d9c0ab97132d03639194db8f091293302b2ed56f43006143e7/iocs

Source:

  • https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00027

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

 Contact Us