Executive Summary

WatchGuard has issued a critical security advisory regarding active exploitation of a severe vulnerability in Fireware OS VPN services, specifically impacting the IKEv2 implementation. The vulnerability, tracked as CVE-2025-14733, enables remote, unauthenticated attackers to execute arbitrary code on affected devices by exploiting an out-of-bounds write in the iked process. This flaw affects both mobile user VPNs and branch office VPNs configured with IKEv2, exposing organizations to the risk of full device compromise, lateral movement, and potential data exfiltration. Multiple threat actors are actively targeting this vulnerability, and exploitation has been observed in the wild. Immediate patching and incident response are strongly recommended to mitigate risk.

Threat Actor Profile

The exploitation of CVE-2025-14733 is being conducted by sophisticated threat actors with a demonstrated capability to rapidly weaponize newly disclosed vulnerabilities in network edge devices. While no specific advanced persistent threat (APT) group has been formally attributed as of this report, there is significant infrastructure overlap with actors previously observed targeting Fortinet and other firewall vendors. The threat actors are leveraging automated scanning and exploitation frameworks to identify and compromise vulnerable WatchGuard Fireware OS appliances exposed to the internet. The observed tactics, techniques, and procedures (TTPs) suggest a high level of operational maturity, including the use of anonymized infrastructure, rapid deployment of post-exploitation payloads, and the ability to pivot laterally within compromised environments. The threat landscape is further complicated by the public sharing of indicators of compromise (IOCs) and technical details, which may enable less sophisticated actors to join ongoing campaigns.

Technical Analysis of Malware/TTPs

The core vulnerability resides in the iked process, which handles IKEv2 VPN negotiations. The flaw is an out-of-bounds write triggered by the processing of maliciously crafted IKE_AUTH payloads containing an excessive number of X.509 certificates or abnormally large certificate payloads. By sending a specially crafted IKEv2 packet with more than eight certificates or a certificate payload exceeding 2000 bytes, an attacker can corrupt memory within the iked process. This memory corruption can be exploited to achieve remote code execution with root privileges on the affected device.

Upon successful exploitation, attackers have been observed deploying lightweight shellcode to establish persistence and command-and-control (C2) channels. The post-exploitation phase typically involves the exfiltration of configuration files, VPN credentials, and other sensitive artifacts stored on the device. In some cases, attackers have used the compromised device as a foothold to launch further attacks against internal network assets, leveraging the trusted position of the firewall within the network topology.

The exploitation chain aligns with the following MITRE ATT&CK techniques: T1190 (Exploit Public-Facing Application) for the initial compromise, and T1059 (Command and Scripting Interpreter) for post-exploitation activities. The attackers utilize custom scripts and off-the-shelf tools to automate the exploitation process, maintain access, and evade detection. Notably, the exploitation does not require authentication, making any internet-exposed vulnerable device a potential target.

Exploitation in the Wild

Active exploitation of CVE-2025-14733 has been confirmed by WatchGuard, independent security researchers, and multiple managed security service providers (MSSPs). Attack telemetry indicates that exploitation attempts began within 48 hours of the vulnerability's public disclosure. Malicious activity has been traced to several IP addresses, including 45.95.19[.]50, 51.15.17[.]89, 172.93.107[.]67, and 199.247.7[.]82. The latter IP has also been associated with recent attacks against Fortinet devices, suggesting a coordinated campaign or shared tooling among threat actors.

Indicators of compromise include outbound connections to the aforementioned IP addresses, anomalous log entries such as "Received peer certificate chain is longer than 8. Reject this certificate chain," and IKE_AUTH requests with certificate payloads exceeding 2000 bytes. Affected devices may exhibit symptoms such as the iked process hanging or crashing, which disrupts VPN tunnel negotiations and may generate fault reports. In several documented incidents, attackers have leveraged the compromised device to pivot into internal networks, underscoring the criticality of immediate response.

Victimology and Targeting

The primary targets of this exploitation campaign are organizations utilizing WatchGuard Fireware OS appliances with IKEv2 VPN configurations exposed to the internet. Victims span a broad range of sectors, including managed service providers (MSPs), financial institutions, healthcare organizations, and government agencies. The attack surface is defined by the presence of vulnerable firmware versions, specifically Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.5, 2025.1 up to and including 2025.1.3, 12.5.x (T15 & T35 models) up to 12.5.14, and 12.3.1 (FIPS-certified release) up to 12.3.1_Update3. Devices running end-of-life firmware (11.x) are particularly at risk, as no patches are available.

Attackers are opportunistically scanning for vulnerable devices, with a focus on those deployed at the network perimeter. The exploitation is not limited to any specific geographic region, and organizations of all sizes are at risk. The use of automated exploitation tools increases the likelihood of widespread compromise, especially among organizations that have not yet applied the necessary patches or implemented compensating controls.

Mitigation and Countermeasures

Immediate action is required to mitigate the risk posed by CVE-2025-14733. Organizations should prioritize upgrading to the following fixed versions: 2025.1.4 for 2025.1.x, 12.11.6 for 12.x, 12.5.15 for 12.5.x (T15 & T35), and 12.3.1_Update4 (B728352) for the FIPS-certified release. Devices running end-of-life firmware (11.x) must be replaced, as no security updates will be provided.

In addition to patching, organizations should review device logs for the presence of IOCs, including anomalous IKE_AUTH requests and connections to known malicious IP addresses. If compromise is suspected or confirmed, all locally stored secrets on affected Firebox appliances should be rotated immediately. This includes VPN pre-shared keys, administrative credentials, and any other sensitive configuration data.

For organizations unable to patch immediately, temporary workarounds include disabling dynamic peer branch office VPNs, creating aliases for static IP addresses of remote BOVPN peers, adding new firewall policies to restrict access, and disabling default built-in policies for VPN traffic. These measures can reduce the attack surface but do not eliminate the underlying vulnerability.

Network monitoring should be enhanced to detect and block outbound connections to the identified malicious IP addresses. Security teams should also implement strict access controls, network segmentation, and continuous monitoring of VPN endpoints for signs of anomalous activity. Regular vulnerability scanning and penetration testing are recommended to identify and remediate other potential exposures.

References

• WatchGuard Advisory WGSA-2025-00027

• CVE-2025-14733 NVD Entry

• The Hacker News Coverage

• CISA KEV Catalog

• Reddit MSP Community Discussion

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their digital supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify vulnerabilities, respond to emerging threats, and ensure compliance with industry standards. For more information about how Rescana can help strengthen your organization’s cyber resilience, or for any questions regarding this advisory, please contact us at ops@rescana.com.