On December 18, 2025, WatchGuard released fixes for CVE-2025-14733, a critical out-of-bounds write vulnerability in the Internet Key Exchange daemon (iked) process used to establish VPN tunnels in Fireware OS, which powers Firebox firewall appliances. Exploitation of this vulnerability allows a remote, unauthenticated threat actor to execute arbitrary code. WatchGuard has confirmed in-the-wild exploitation in their advisory.
This vulnerability affects mobile user VPN configurations that use IKEv2, as well as branch office VPNs using IKEv2 when configured with a dynamic gateway peer. Even configurations with static peers that previously used dynamic peers may be affected.
While Arctic Wolf is not aware of a publicly available proof-of-concept exploit at the time of writing, threat actors are likely to continue opportunistic exploitation. In September, a similarly severe WatchGuard out-of-bounds write vulnerability (CVE-2025-9242) was exploited shortly after public disclosure.
Recommendations for CVE-2025-14733
Upgrade Fireware OS to Fixed Version
Arctic Wolf strongly recommends that customers upgrade Fireware OS to the latest fixed version as soon as possible.
In addition to installing the latest Fireware OS that includes the fix, it is also recommended that all locally stored secrets on vulnerable Firebox appliances are rotated, as described in WatchGuard’s Best Practices to Rotate Shared Secrets Stored on the Firebox knowledge base article.
Rotation of secrets is a crucial step when a network appliance is confirmed to be vulnerable, as Arctic Wolf has previously observed credential access campaigns where VPN appliances were quietly compromised before patches were applied, with credentials harvested during that initial access. Those stolen secrets are sometimes reused months or even years after the underlying vulnerability has been patched. Because logging on edge devices can be limited, initial compromise may not be detectable even when credential extraction has already occurred.
| Product | Affected Version | Fixed Version |
| Firebox (Fireware OS) | 2025.1 | 2025.1.4 |
| 12.x | 12.11.6 | |
| 12.5.x (T15 & T35 models) | 12.5.15 | |
| 12.3.1 (FIPS-certified release) | 12.3.1_Update4 (B728352) | |
| 11.x | End of Life |
Note: A Firebox may still be vulnerable if a branch office VPN to a static gateway remains configured, even if mobile user VPNs with IKEv2 or branch office VPNs to dynamic gateways have been deleted.
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
Workaround (Optional)
For users who are unable to immediately upgrade their Firebox, WatchGuard recommends following their guidance for Secure Access to Branch Office VPNs that Use IPSec and IKEv2 as a temporary workaround. This workaround is only applicable when the Firebox is configured solely with branch office VPN tunnels to static gateway peers.
References
