Critical actively exploited flaw in WatchGuard Fireware OS enables remote code execution through VPN service

WatchGuard has released security updates to patch a critical vulnerability in its Fireware OS that allows remote unauthenticated attackers to execute arbitrary code on affected devices. 

The flaw is tracked as CVE-2025-14733 (CVSS score 9.3), is an out-of-bounds write vulnerability in the iked process. The vulnerability impacts both mobile user VPN configurations using IKEv2 and branch office VPN deployments using IKEv2 when configured with a dynamic gateway peer. 

An important technical detail is that Firebox devices previously configured with these vulnerable VPN types may remain susceptible even after those configurations have been deleted, as long as a branch office VPN to a static gateway peer still exists on the device.

WatchGuard has confirmed that threat actors are actively exploiting this vulnerability.

Affected versions of Fireware OS include:

• versions 11.10.2 through 11.12.4_Update1 (now end-of-life),
• versions 12.0 through 12.11.5, and versions 2025.1 through 2025.1.3. 

WatchGuard has released patches on multiple product branches: 

• version 2025.1.4 for the 2025.1 branch,
• version 12.11.6 for the 12.x branch,
• version 12.5.15 for T15 and T35 models running 12.5.x,
• version 12.3.1_Update4 (Build 728352) for FIPS-certified releases. 

Organizations running version 11.x should note that this branch has reached end-of-life and must migrate to a supported version. In addition to applying the security patches, administrators who have confirmed threat actor activity on their Firebox appliances must rotate all locally stored secrets.

Organizations unable to immediately upgrade their devices can implement temporary workarounds, though these are only applicable for specific configurations.