DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-14733: WatchGuard IKEv2: The 9.8 Gateway to Hell (CVE-2025-14733)

#security #cve #cybersecurity

WatchGuard IKEv2: The 9.8 Gateway to Hell (CVE-2025-14733)

Vulnerability ID: CVE-2025-14733
CVSS Score: 9.8
Published: 2025-12-19

A critical remote code execution vulnerability in WatchGuard Firebox's iked daemon allows unauthenticated attackers to dismantle the firewall's security from the outside. With over 115,000 devices exposed and active exploitation confirmed by CISA, this Out-of-bounds Write is a textbook example of how a single memory safety error in a perimeter device can compromise an entire network architecture.

TL;DR

Critical RCE in WatchGuard Firebox firewalls via the IKEv2 VPN service. Unauthenticated attackers can crash the service or execute code as root by sending malformed packets. Active in the wild. Patch immediately.

⚠️ Exploit Status: ACTIVE

Technical Details

  • CWE ID: CWE-787 (Out-of-bounds Write)
  • CVSS v3.1: 9.8 (Critical)
  • Attack Vector: Network (UDP 500/4500)
  • Authentication: None (Unauthenticated)
  • Affected Component: iked (Internet Key Exchange daemon)
  • EPSS Score: 0.40662 (High Probability)
  • KEV Status: Listed (Active Exploitation)

Affected Systems

  • WatchGuard Firebox T Series
  • WatchGuard Firebox M Series
  • WatchGuard XTM Series (legacy)
  • WatchGuard FireboxV (Virtual)
  • WatchGuard Firebox Cloud
  • Fireware OS: 12.0 - 12.11.5 (Fixed in: 12.11.6)
  • Fireware OS: 2025.1 - 2025.1.3 (Fixed in: 2025.1.4)
  • Fireware OS (T15/T35): < 12.5.15 (Fixed in: 12.5.15)

Mitigation Strategies

  • Update Fireware OS to the latest patched version.
  • Disable Mobile User VPN with IKEv2.
  • Convert Branch Office VPNs from Dynamic Gateway to Static Gateway peers.
  • Restrict access to IKE ports (UDP 500/4500) to trusted IP ranges only.

Remediation Steps:

  1. Log in to the WatchGuard Firebox web UI or Policy Manager.
  2. Check the current OS version in the System Status dashboard.
  3. Download the applicable upgrade package (e.g., 12.11.6 or 2025.1.4) from the WatchGuard Support Center.
  4. Apply the upgrade and reboot the device.
  5. Post-upgrade: Review the 'Users and Roles' list for unrecognized admin accounts.
  6. Reset the 'admin' and 'status' account passwords.

References

Read the full report for CVE-2025-14733 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)