© 2025 Planetmav

WatchGuard Firewall Exploitation (CVE-2025-14733)

December 20, 2025 | 10:52 am

CRITICAL (CVSS 9.3) – Active Exploitation Confirmed

WatchGuard has confirmed that a critical Remote Code Execution (RCE) vulnerability in its Firebox firewalls is being actively exploited in the wild. This flaw allows attackers to take full control of the device without needing any username or password.

1. The Vulnerability Explained

The vulnerability, tracked as CVE-2025-14733, is an “out-of-bounds write” flaw located in the IKEv2 (Internet Key Exchange version 2) VPN component of the Fireware operating system.

  • The Flaw: The specific process responsible for handling VPN connections (iked) fails to properly validate incoming data packets.
  • The Attack: An attacker sends a specially crafted, malicious IKEv2 packet (specifically an IKE_AUTH request with an abnormally large certificate payload) to the firewall.
  • The Result: This overflows the system’s memory, allowing the attacker to execute their own malicious code with root privileges. This grants them unrestricted “shell” access to the firewall.

2. Why This is Dangerous

  • No Authentication Required: The attacker does not need to know any credentials to break in. They only need to be able to reach the device’s VPN interface over the internet.
  • Total Compromise: Once inside, attackers can steal stored passwords (including VPN credentials), decrypt and intercept sensitive traffic passing through the firewall, and use the device as a launchpad to attack the internal network.
  • “Ghost” Risk: Even if you have deleted vulnerable VPN configurations, you may still be at risk if “residual” settings remain or if you still have static branch office VPNs active.

3. Affected Versions

This flaw affects WatchGuard Firebox appliances running the following Fireware OS versions:

  • Fireware v12: Versions 12.0 up to 12.11.5
  • Fireware v2025: Versions 2025.1 up to 2025.1.3
  • Legacy v11: Versions 11.10.2 up to 11.12.4_Update1

4. Indicators of Compromise (IoC)

WatchGuard has released specific signs to look for in your logs that indicate an attack attempt:

  • Log messages stating: “Received peer certificate chain is longer than 8.”
  • IKE_AUTH requests with a CERT payload size greater than 2000 bytes.
  • The iked process crashing or hanging unexpectedly.
  • Traffic to/from known malicious IPs (e.g., 45.95.19.50, 51.15.17.89).

5. Immediate Action Required

A. Patch Immediately: Update your device to the fixed versions released on December 18, 2025:

  • Fireware v12.11.6
  • Fireware v2025.1.4
  • Fireware v12.5.15 (for T15/T35 models)

B. Post-Compromise Check: Because this is being exploited in the wild, you should assume unpatched devices may already be compromised. WatchGuard recommends rotating all shared secrets and passwords stored on the device after patching.

Tags:

No tags
Previous

Comments are closed

Latest Comments

No comments to show.

© 2025 Planetmav. Created with ❤ using WordPress and Kubio