WatchGuard has released a fix that addresses a critical security flaw in Fireware OS that was allegedly exploited in a real-world attack.
The vulnerability is tracked as CVE-2025-14733 (CVSS score: 9.3) and is described as a case of an out-of-bounds write impacting the iked process, potentially allowing a remote unauthenticated attacker to execute arbitrary code.
“This vulnerability affects both mobile user VPNs that use IKEv2 and branch office VPNs that use IKEv2 that are configured with dynamic gateway peers,” the company said in Thursday’s advisory.
“If a Firebox was previously configured with Mobile User VPN with IKEv2 or Branch Office VPN with IKEv2 to dynamic gateway peers, and those configurations are both subsequently removed, the Firebox may still be vulnerable if it is still configured with Branch Office VPN to static gateway peers.”
This vulnerability affects the following versions of Fireware OS:
2025.1 – 2025.1.4 Fixed in 12.x – 12.11.6 Fixed in 12.5.x (T15 and T35 models) – 12.5.15 Fixed in 12.3.1 (FIPS certified release) – 12.3.1_Update4 (B728352) 11.x (11.10.2 Fixed below) 11.12.4_Update1) – End of support
WatchGuard acknowledged that it has observed attackers actively attempting to exploit this vulnerability by launching attacks from the following IP addresses:
What is interesting is the IP address “199.247.7”[.]82″ was reported by Arctic Wolf earlier this week as related to the exploitation of two recently disclosed security vulnerabilities (CVE-2025-59718 and CVE-2025-59719, CVSS score: 9.8) in Fortinet FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.
The Seattle-based company also shares multiple indicators of compromise (IoCs) that device owners can use to determine whether their instances are infected.
When the Firebox receives an IKE2 Auth payload that contains more than 8 certificates, you see the following log message: “Received peer certificate chain exceeds 8. Please reject this certificate chain.” IKE_AUTH request with unusually large CERT payload size (greater than 2000 bytes) Log message A successful exploit hangs the iked process and disrupts the VPN connection If the exploit fails or succeeds, the IKED process crashes and a failure report is generated on the Firebox.
This disclosure comes a little more than a month after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added another critical flaw in WatchGuard Fireware OS (CVE-2025-9242, CVSS score: 9.3) to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation.
It is currently unknown whether these two attack sets are related. Users are advised to apply updates as soon as possible to protect themselves from threats.
As a temporary mitigation for devices with vulnerable Branch Office VPN (BOVPN) configurations, the company recommends that administrators disable dynamic peer BOVPN, create an alias with the static IP address of the remote BOVPN peer, add a new firewall policy that allows access from the alias, and disable the default built-in policy that handles VPN traffic.
Source link
