Executive Summary

A critical zero-day vulnerability in WatchGuard Firebox devices, tracked as CVE-2025-14733, is being actively exploited by threat actors in the wild. This flaw, an out-of-bounds write in the Fireware OSiked process, enables remote, unauthenticated attackers to execute arbitrary code on affected appliances via the IKEv2 VPN service. The vulnerability impacts a broad spectrum of WatchGuard Firebox models and Fireware OS versions, including both mobile user VPNs and branch office VPNs, particularly when dynamic gateway peers are configured. Both WatchGuard and CISA have confirmed exploitation attempts, released indicators of compromise (IOCs), and issued urgent mitigation guidance. Organizations using affected devices are at significant risk of compromise, lateral movement, and potential data exfiltration if immediate action is not taken.

Threat Actor Profile

While no specific advanced persistent threat (APT) group has been publicly attributed to the exploitation of CVE-2025-14733 as of this report, the tactics, techniques, and procedures (TTPs) observed are consistent with both financially motivated cybercriminals and state-sponsored actors. These adversaries are known to target edge network devices such as firewalls and VPN appliances to gain initial access, establish persistence, and facilitate further attacks within enterprise environments. The exploitation of zero-day vulnerabilities in perimeter devices is a hallmark of sophisticated threat actors, including groups previously associated with campaigns against VPN and firewall infrastructure (e.g., APT5, UNC2630). The current exploitation campaign demonstrates a high level of technical proficiency, leveraging malformed IKEv2 payloads to bypass authentication and execute code remotely, often as a precursor to broader network compromise.

Technical Analysis of Malware/TTPs

The vulnerability resides in the Fireware OSiked process, which handles IKEv2 VPN connections. Specifically, an out-of-bounds write condition can be triggered by a specially crafted IKE_AUTH request containing an abnormally large CERT payload. This malformed payload causes the iked process to overwrite memory, enabling remote code execution without authentication. The attack vector is exposed whenever the IKEv2 VPN service is enabled, regardless of whether dynamic gateway peers are currently configured, as long as at least one static gateway peer VPN remains active.

Threat actors exploit this flaw by sending IKE_AUTH requests with oversized CERT payloads, often exceeding normal certificate chain lengths. Log entries on compromised devices may show messages such as "Received peer certificate chain is longer than 8. Reject this certificate chain" or IKE_AUTH requests with CERT payloads of several kilobytes. Successful exploitation can result in the iked process crashing or hanging, interruption of VPN tunnel negotiations, and the generation of fault reports by the Firebox appliance.

The exploitation aligns with the following MITRE ATT&CK techniques: T1190 (Exploit Public-Facing Application) and T1133 (External Remote Services). The attack is fully remote and does not require valid credentials, making it highly attractive for both opportunistic and targeted campaigns.

Exploitation in the Wild

Active exploitation of CVE-2025-14733 has been confirmed by both WatchGuard and CISA. Threat actors are scanning for and targeting vulnerable Firebox appliances exposed to the internet, particularly those with IKEv2 VPN services enabled. Exploitation attempts have been traced to specific malicious IP addresses, and organizations have reported incidents involving unauthorized access, device instability, and unexplained VPN disruptions.

Indicators of compromise include outbound connections to known malicious IPs, abnormal log entries related to certificate chain length, and unexpected device behavior such as VPN tunnel negotiation failures or process crashes. The exploitation campaign is ongoing, and the threat landscape is evolving as attackers refine their techniques and seek to evade detection.

Victimology and Targeting

The exploitation of WatchGuard Firebox zero-day vulnerabilities is not limited to any specific sector or geography. Firebox appliances are widely deployed across government, enterprise, education, managed service provider (MSP), and critical infrastructure environments globally. The broad applicability of the vulnerability, combined with the prevalence of exposed VPN services, places organizations of all sizes and industries at risk.

While no explicit targeting of particular sectors or countries has been reported in the official advisories, the nature of the attack suggests that both opportunistic and targeted campaigns are underway. Organizations with internet-exposed VPN endpoints, especially those with outdated firmware or default configurations, are at heightened risk. The potential impact includes unauthorized network access, lateral movement, data exfiltration, and disruption of critical business operations.

Mitigation and Countermeasures

Immediate action is required to mitigate the risk posed by CVE-2025-14733. Organizations should upgrade all affected Firebox devices to the latest patched versions of Fireware OS as specified in the official WatchGuard advisory. The patched versions include 2025.1.4, 12.11.6, 12.5.15, and 12.3.1_Update4 (B728352), depending on the device model.

If compromise is suspected, all locally stored secrets, including VPN pre-shared keys and administrative credentials, should be rotated in accordance with WatchGuard’s best practices. Organizations must review device logs for the presence of IOCs, such as abnormal certificate chain errors and connections to the following malicious IP addresses: 45.95.19[.]50, 51.15.17[.]89, 172.93.107[.]67, and 199.247.7[.]82.

As a temporary workaround, if only static gateway peers are in use and immediate patching is not feasible, organizations should follow WatchGuard’s IPSec/IKEv2 VPN security recommendations to minimize exposure. It is also critical to restrict management access to trusted internal networks or secure VPNs and to avoid exposing management interfaces to the internet.

Continuous monitoring for suspicious activity, regular review of device configurations, and adherence to vendor security advisories are essential components of a robust defense strategy. Organizations should also consider implementing network segmentation and enhanced logging to detect and respond to potential intrusions rapidly.

References

• WatchGuard Security Advisory WGSA-2025-00027

• NVD CVE-2025-14733

• SecurityWeek: WatchGuard Patches Firebox Zero-Day Exploited in the Wild

• CISA KEV Catalog Entry

• MITRE ATT&CK T1190

• MITRE ATT&CK T1133

• WatchGuard VPN Security Best Practices

• WatchGuard Shared Secret Rotation Guidance

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their digital supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify vulnerabilities, respond to emerging threats, and ensure compliance with industry standards. For more information about how Rescana can help strengthen your organization’s cyber resilience, or for any questions regarding this advisory, please contact us at ops@rescana.com.