Executive Summary

A newly disclosed critical vulnerability, CVE-2025-14733, has been identified in WatchGuard Firebox firewalls, representing a significant threat to organizations relying on these devices for perimeter security. This flaw, an out-of-bounds write in the Fireware OSiked process, enables unauthenticated remote attackers to execute arbitrary code on affected appliances. The vulnerability is being actively exploited in the wild, with multiple threat actors leveraging it to gain initial access, establish persistence, and potentially pivot deeper into victim networks. The attack surface is broad, as exploitation requires no user interaction and can be triggered over the network, particularly when the device is configured for IKEv2 VPN. This advisory provides a comprehensive technical breakdown, threat actor insights, exploitation evidence, victimology, and actionable mitigation guidance to help Rescana customers defend against this critical threat.

Threat Actor Profile

The exploitation of CVE-2025-14733 has attracted a diverse set of threat actors, ranging from financially motivated cybercriminals to advanced persistent threat (APT) groups. While no single group has been definitively attributed as of this writing, the tactics, techniques, and procedures (TTPs) observed are consistent with those used by actors specializing in the compromise of network edge devices. These actors typically exploit public-facing vulnerabilities to establish a foothold, deploy custom malware or remote access tools, and subsequently conduct lateral movement or data exfiltration. The rapid weaponization of this vulnerability, as seen in previous WatchGuard and other firewall exploits, underscores the sophistication and agility of these adversaries. Notably, the exploitation aligns with MITRE ATT&CK technique T1190 (Exploit Public-Facing Application), a hallmark of groups seeking initial access to enterprise environments.

Technical Analysis of Malware/TTPs

The core of CVE-2025-14733 is an out-of-bounds write condition in the Fireware OSiked process, which handles IKEv2 VPN negotiations. Attackers exploit this flaw by sending specially crafted IKE_AUTH requests containing abnormally large CERT payloads (exceeding 2000 bytes) or certificate chains longer than eight entries. This malformed input triggers a memory corruption event, allowing the attacker to overwrite critical memory regions and execute arbitrary code with root privileges on the device.

The attack is low complexity and requires no authentication, making it highly attractive for automated exploitation. Once code execution is achieved, threat actors have been observed deploying lightweight shellcode to establish reverse shells, download additional payloads, or modify device configurations to maintain persistence. In some cases, attackers have leveraged the compromised Firebox as a pivot point to scan internal networks, harvest credentials, or deploy ransomware payloads.

Indicators of compromise (IOCs) include abnormal VPN negotiation failures, unexpected process crashes or restarts of the iked service, and outbound connections to known malicious command-and-control (C2) infrastructure. Log entries such as "Received peer certificate chain is longer than 8. Reject this certificate chain" or IKE_AUTH requests with CERT payload sizes exceeding 2000 bytes are strong forensic markers of exploitation attempts.

Exploitation in the Wild

Active exploitation of CVE-2025-14733 has been confirmed by WatchGuard, independent security researchers, and multiple threat intelligence sources. Attackers are scanning the internet for vulnerable Firebox appliances, particularly those exposing IKEv2 VPN services. Successful compromises have been observed across a range of sectors, with attackers establishing persistent access and, in some cases, using the device as a launchpad for further attacks within the victim's environment.

Notable campaigns have not yet been attributed to specific APT groups, but the exploitation patterns mirror those seen in previous mass exploitation events targeting network edge devices, such as the Cyclops Blink malware campaign. The speed and scale of exploitation highlight the criticality of immediate remediation, as unpatched devices are likely to be compromised within hours of exposure.

Observed malicious infrastructure includes IP addresses such as 45.95.19[.]50, 51.15.17[.]89, 172.93.107[.]67, and 199.247.7[.]82, which have been used for outbound C2 communications from compromised devices. Organizations should monitor for connections to these addresses as a potential sign of compromise.

Victimology and Targeting

The primary targets of CVE-2025-14733 exploitation are organizations deploying WatchGuard Firebox appliances as perimeter firewalls or VPN concentrators. This includes small and medium-sized businesses, managed service providers (MSPs), and enterprises with distributed branch offices. The geographic distribution of victims is global, but there is a concentration in North America and Europe, reflecting the market penetration of WatchGuard products.

Attackers are opportunistic, scanning for any exposed and vulnerable devices rather than targeting specific organizations. However, once access is gained, the level of post-exploitation activity may vary based on the perceived value of the victim. In some cases, compromised devices have been used as part of larger botnets or as staging points for targeted intrusions into high-value networks.

Mitigation and Countermeasures

Immediate action is required to mitigate the risk posed by CVE-2025-14733. Organizations should upgrade all affected Fireware OS versions to the latest patched releases, specifically Fireware OS 2025.1.4, 12.11.6, 12.5.15 (for T15 & T35), or 12.3.1_Update4 (FIPS-certified). Devices running end-of-life versions such as 11.x must be replaced, as no security updates are available.

If patching cannot be performed immediately, temporary workarounds include disabling dynamic peer branch office VPNs, adding restrictive firewall policies, and disabling default system policies that handle VPN traffic. These measures can reduce the attack surface but do not eliminate the underlying vulnerability.

Organizations should conduct a thorough review of device logs for the IOCs described above, including abnormal certificate chain errors and large CERT payloads in IKE_AUTH requests. Outbound connections to the identified malicious IP addresses should be blocked and investigated. If compromise is suspected or confirmed, all locally stored secrets and credentials on the affected appliance must be rotated without delay, following WatchGuard's best practices for secret management.

Continuous monitoring for anomalous device behavior, such as unexpected process crashes or VPN negotiation failures, is essential. Network segmentation and the principle of least privilege should be enforced to limit the potential impact of a compromised firewall. Finally, organizations are encouraged to stay informed of updates from WatchGuard and relevant threat intelligence sources, as the situation is evolving rapidly.

References

• WatchGuard Official Advisory WGSA-2025-00027

• BleepingComputer: New critical WatchGuard Firebox firewall flaw exploited in attacks

• NVD: CVE-2025-14733

• CISA: Critical WatchGuard Firebox Vulnerability Exploited In Attacks

• MITRE ATT&CK T1190: Exploit Public-Facing Application

• WatchGuard Best Practices to Rotate Shared Secrets

• WatchGuard Secure Access to Branch Office VPNs

• Reddit: WatchGuard Warns of Active Exploitation

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their extended supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify vulnerabilities, respond to emerging threats, and ensure compliance with industry standards. For more information about how Rescana can help strengthen your organization's cyber resilience, we are happy to answer questions at ops@rescana.com.