Just days before Christmas, another critical vulnerability has emerged, continuing a surge of actively exploited flaws alongside recent zero-days in Cisco AsyncOS (CVE-2025-20393) and Apple WebKit (CVE-2025-14174). WatchGuard has disclosed and addressed a critical security issue affecting Fireware OS, confirming that it has already been leveraged in real-world attacks targeting Firebox firewalls.
Identified as CVE-2025-14733 with a CVSS score of 9.3, the vulnerability stems from an out-of-bounds write condition in the iked process. Successful exploitation allows unauthenticated remote attackers to execute arbitrary code through low-complexity attacks that require no user interaction.
Internet scans conducted by Shadowserver identified more than 117,490 exposed and unpatched Firebox devices as of December 21, underscoring the scale of potential impact. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, highlighting its active abuse and risk to enterprise environments. Such vulnerabilities are a common target for exploitation and pose elevated risks to the federal enterprises.
Join the SOC Prime Platform, home to the world’s largest Detection Intelligence dataset, delivering an end-to-end pipeline from threat detection through simulation to elevate your SOC capabilities and proactively defend against APTs, exploitation campaigns, and cyber threats of any sophistication. Press Explore Detections to access a context-enriched collection of rules addressing vulnerability exploitation, filtered by the relevant CVE tag.
All the rules are compatible with multiple SIEM, EDR, and Data Lake formats and mapped to the MITRE ATT&CK® v18.1 framework. Additionally, each rule is enriched with CTI links, attack timelines, audit configurations, triage recommendations, and more relevant context.
Security engineers can also leverage Uncoder AI, an IDE and co-pilot for detection engineering. With Uncoder, defenders can instantly convert IOCs into custom hunting queries, craft detection code from raw threat reports, generate Attack Flow diagrams, enable ATT&CK tags prediction, leverage AI-driven query optimization, and translate detection content across multiple platforms.
CVE-2025-14733 Analysis
WatchGuard has recently disclosed a critical out-of-bounds write vulnerability in Fireware OS tracked as CVE-2025-14733, affecting the iked process, which may allow a remote, unauthenticated attacker to execute arbitrary code. The flaw impacts IKEv2-based Mobile User VPNs and Branch Office VPNs, especially when configured with dynamic gateway peers. More specifically, the flaw affects several Fireware OS releases and is resolved in versions 2025.1.4, 12.11.6, 12.5.15 (T15/T35), and 12.3.1_Update4 (FIPS), while 11.x releases are end-of-life. Fireboxes may remain vulnerable even if affected VPN configurations were previously removed, as long as a static BOVPN is still configured.
WatchGuard confirmed the vulnerability is being actively exploited in the wild. Adversaries are actively weaponizing CVE-2025-14733 as part of a broader campaign targeting edge networking devices and exposed infrastructure across multiple vendors.
Fixes are available across supported Fireware OS versions, while 11.x releases are end-of-life. The company also shared Indicators of Attack (IoAs) to help identify exploitation attempts. Outbound connections to the following IP addresses are considered a strong indicator of compromise, while inbound connections may signal scanning or exploitation activity: 45.95.19[.]50, 51.15.17[.]89, 172.93.107[.]67, 199.247.7[.]82. Additional indicators include oversized IKE_AUTH CERT payloads, log messages about certificate chains longer than eight entries, and crashes or hangs of the iked process. As potential CVE-2025-14733 mitigation measures, customers are strongly advised to apply updates immediately or follow WatchGuard’s recommended temporary safeguards for vulnerable BOVPN configurations.
As CVE exploitation activity increases and risks escalate for federal and high-value targets, defenders must respond rapidly to minimize potential impact. Organizations can leverage SOC Prime’s AI-native Detection Intelligence Platform for real-time defense, helping them smoothly implement automated workflows from detection to simulation and always stay ahead of critical threats backed by an extensive library of curated detection rules, actionable intelligence, and AI.
The post CVE-2025-14733 Vulnerability: WatchGuard Addresses a Critical RCE Affecting Firebox Firewalls, Actively Exploited for Real-World Attacks appeared first on SOC Prime.
