Cyberwarzone

WatchGuard Fireware CVE-2025-14733: Out-of-Bounds Write in iked Enables Unauthenticated RCE on 117,490+ Exposed Firewalls

by

Peter Chofield
in
Summarize with:



What happens when an out-of-bounds memory write flaw affects the core IKE authentication daemon of enterprise firewalls, enabling unauthenticated remote code execution on tens of thousands of exposed perimeter devices? WatchGuard found out the hard way. CVE-2025-14733 (CVSS 9.3) is a critical vulnerability in Fireware OS that has been actively exploited in the wild since at least December 2025. The vulnerability allows remote attackers without authentication credentials to execute arbitrary code on vulnerable Firebox appliances by sending specially crafted IKEv2 protocol packets. As of late December 2025, the Shadowserver Foundation reports 117,490 internet-exposed WatchGuard Fireware instances vulnerable to this flaw, with 35,600 in the United States alone, 13,000 in Germany, 11,300 in Italy, 9,000 in the U.K., and 5,800 in Canada. CISA added CVE-2025-14733 to its Known Exploited Vulnerabilities (KEV) catalog on December 19, 2025, requiring Federal Civilian Executive Branch agencies to patch within one week. Unlike many perimeter vulnerabilities that require internal reconnaissance or credential access, this flaw permits direct, unauthenticated compromise from the internet—making it a particularly dangerous asset for threat actors targeting critical infrastructure, financial services, government, and healthcare organizations.

Vulnerability Root Cause (Out-of-Bounds Write in iked): CVE-2025-14733 is triggered by a logic flaw in the Internet Key Exchange (IKE) daemon (iked) that processes IKEv2 protocol handshakes. The vulnerability exists in how the daemon handles certificate chains within the IKE_AUTH payload. When a specially crafted IKEv2 packet containing an abnormally large certificate payload (exceeding normal size expectations) reaches the iked process, the daemon fails to properly validate the size of the certificate chain before writing it to an allocated buffer. This results in a classic out-of-bounds write condition, allowing attackers to overwrite adjacent memory regions and corrupt the process state. Because iked runs with elevated privileges and handles cryptographic operations, arbitrary code execution becomes possible once memory corruption is achieved.

Affected VPN Configurations & Versions: WatchGuard identified that the vulnerability impacts both mobile user VPN with IKEv2 and branch office VPN (BOVPN) configurations when set to use IKEv2 with a dynamic gateway peer. Affected Fireware OS versions include 2025.1 (fixed in 2025.1.4), 12.x (fixed in 12.11.6), 12.5.x T15/T35 models (fixed in 12.5.15), and 12.3.1 FIPS release (fixed in 12.3.1_Update4 B728352). Version 11.x (11.10.2 through 11.12.4_Update1) is end-of-life with no patch. A critical detail: even if an administrator deletes mobile VPN with IKEv2 or BOVPN with IKEv2 to a dynamic peer, residual configurations may leave the firewall vulnerable if any branch office VPN to a static peer is still configured. This “legacy configuration” vulnerability pattern extends the affected population beyond devices actively running the vulnerable VPN types.

Active Exploitation Campaign: WatchGuard confirmed threat actors have been actively attempting to exploit CVE-2025-14733 since early-to-mid December 2025. The company identified at least four distinct attacker IP addresses originating exploitation attempts: 45.95.19.50, 51.15.17.89, 172.93.107.67, and 199.247.7.82. Notably, the IP 199.247.7.82 was also linked by Arctic Wolf to concurrent attacks exploiting two recently disclosed Fortinet FortiOS vulnerabilities (CVE-2025-59718 and CVE-2025-59719, both CVSS 9.8), suggesting either the same threat actor group targeting multiple perimeter devices or coordinated targeting across heterogeneous edge networking infrastructure. The timing—within days of the vulnerability becoming known—demonstrates the speed at which critical infrastructure flaws are weaponized.

Indicators of Compromise: WatchGuard released specific indicators that network defenders can monitor for exploitation attempts or successful infection: (1) Log messages stating “Received peer certificate chain is longer than 8. Reject this certificate chain” when the Firebox receives an IKE2 Auth payload with more than 8 certificates; (2) IKE_AUTH request logs with abnormally large CERT payload sizes (greater than 2000 bytes); (3) During exploit execution, the iked process will hang, disrupting VPN connections; (4) After exploitation (successful or failed), the iked process crashes and generates a fault report on the Firebox. These indicators are valuable for detecting in-flight attacks or evidence of compromise in firewall logs.

CVE-2025-14733 represents a perfect storm of vulnerability characteristics that make it exceptionally dangerous for enterprise environments. First, it requires no authentication—attackers do not need valid VPN credentials, administrative access, or any form of prior compromise to trigger the flaw. A single malformed IKEv2 packet sent from the internet to UDP port 500 (IKE protocol) is sufficient. Second, it grants arbitrary code execution with the privileges of the iked daemon, which operates at the kernel level on many Fireware deployments, enabling complete firewall compromise. Third, the exploitation is reliable and deterministic; the memory corruption is triggered by predictable packet sequences, reducing the likelihood of failed exploit attempts that might alert defenders.

The operational impact is severe. A compromised WatchGuard Firewall becomes a beachhead for lateral movement into protected networks. Attackers gain the ability to intercept, modify, or drop VPN traffic, inject malicious content into corporate networks, exfiltrate data, deploy persistent backdoors, and conduct man-in-the-middle attacks against encrypted traffic. For organizations relying on VPN for remote worker access, merger & acquisition activities, or branch office connectivity, a compromised firewall transforms the entire VPN infrastructure into an attack vector. The attacker gains visibility into which employees, contractors, and remote offices are connecting, when they connect, and what resources they access.

The geographic concentration of exposure amplifies risk for specific regions. With 35,600 vulnerable instances in the United States (30% of the global exposed population), American organizations in finance, government, healthcare, and critical infrastructure sectors face disproportionate risk. A single attacker could theoretically compromise thousands of firewalls across a specific industry vertical through automated scanning and exploitation. The fact that CISA mandated Federal agency patching within seven days (by December 26, 2025) underscores the intelligence community’s assessment of immediate operational threat.

The convergence with Fortinet FortiOS exploitation by the same attacker IP (199.247.7.82) suggests a coordinated campaign targeting edge security infrastructure broadly. Organizations running heterogeneous perimeter stacks (WatchGuard, Fortinet, Palo Alto Networks, Cisco) face simultaneous vulnerability windows. If an attacker successfully compromises one perimeter device, they may pivot to others, using reconnaissance data from the first breach to inform subsequent attacks.

Recovery complexity adds another layer of operational risk. Because iked is the core authentication daemon, a successful compromise may leave forensic evidence difficult to trace. Attackers can clear logs, manipulate VPN session records, and install rootkits at the kernel level. Determining what data was accessed, when, and by whom becomes nearly impossible without comprehensive network telemetry external to the firewall itself.

Technical Exploit Mechanics: The attack begins with network reconnaissance. Attackers use tools like Shodan, Censys, or custom mass-scanning infrastructure to identify internet-facing WatchGuard Fireware instances by fingerprinting IKE protocol responses on UDP port 500. Fireware instances respond with specific IKE exchange patterns that allow identification by software and version. Once a target is identified, the attacker crafts a specially constructed IKEv2 handshake packet designed to trigger the out-of-bounds write. The malicious packet is an IKE_AUTH request containing a certificate chain payload much larger than the daemon expects (typically exceeding 2000 bytes, where normal payloads are under 500 bytes). The iked daemon attempts to write this oversized chain to a fixed-size buffer on the stack or heap without bounds checking, causing memory corruption.

Memory Corruption to Code Execution: Once the out-of-bounds write is triggered, the attacker’s payload (embedded within the certificate chain) overwrites adjacent memory regions. If the corruption targets function pointers, return addresses on the stack, or heap metadata structures, the attacker can redirect execution to attacker-controlled code. Modern exploits may use return-oriented programming (ROP) gadgets available within the iked binary to chain together existing instructions and achieve arbitrary code execution without injecting new machine code. The execution occurs in the context of the iked process, which runs with elevated privileges.

Persistence & Post-Exploitation: Once code execution is achieved within iked, the attacker can escalate privileges, disable security features, install rootkits, and establish persistent remote access. On many Fireware deployments, iked runs at ring 0 or with capabilities sufficient to load kernel modules. Attackers can deploy a custom kernel-mode backdoor that survives reboots and continues accepting encrypted remote commands even after firewall patches are applied (if the firewall is rebooted before patching or if administrators don’t fully rebuild the device).

Detection & Incident Response Procedures:

  • Immediate Threat Hunting: Search firewall logs for IKE_AUTH requests with abnormally large CERT payloads (>2000 bytes). Flag any instances of “Received peer certificate chain is longer than 8. Reject this certificate chain” messages. Monitor for iked process crashes and restarts in the fault log. Check for unexpected outbound VPN connections or new peer definitions that weren’t previously configured.
  • Firewall Telemetry Analysis: Export and analyze IKE protocol session logs from the week of December 19 onward to identify exploitation attempts. Use time-series analysis to correlate iked process crashes with specific source IP addresses. Cross-reference attacker IPs (45.95.19.50, 51.15.17.89, 172.93.107.67, 199.247.7.82) against firewall deny logs to confirm attack attempts were logged.
  • Network Segmentation & Access Control: Immediately restrict access to the firewall management interface to known administrative IP ranges. If possible, move firewall administration to an out-of-band management network isolated from the internet. Implement strict rate limiting on IKE protocol traffic to slow exploitation attempts. Disable IKEv2 VPN configurations if not actively used; switch to IKEv1 if available as a temporary mitigation.
  • Patching Strategy: Prioritize patching in this order: (1) internet-facing VPN concentrators, (2) firewalls in DMZs, (3) branch office firewalls, (4) internal firewalls. Apply patches during maintenance windows but accelerate the timeline given active exploitation. After patching, verify the iked process version matches the patched release. Monitor iked memory usage and CPU consumption post-patch to detect anomalies.
  • Backup & Recovery Preparation: Before patching, back up the current firewall configuration. If a firewall shows signs of compromise (kernel rootkits, unexpected processes), do not simply patch and reboot; perform a full factory reset, reconfigure from a known-good backup, and restore VPN configurations manually. This ensures any backdoors embedded during exploitation are removed.
  • External Validation: If compromise is suspected, engage incident response resources to conduct out-of-band forensic analysis. Extract memory dumps and firmware images from the affected firewall using specialized hardware interfaces. Send samples to threat intelligence providers for analysis. Perform full VPN session audits covering the period of potential exposure to identify which users or systems accessed the network through the compromised firewall.

CVE-2025-14733 is the second critical Fireware OS vulnerability WatchGuard has disclosed within a month. In November 2025, CISA added CVE-2025-9242 (CVSS 9.3, also in Fireware) to its KEV catalog after active exploitation was confirmed. The back-to-back critical flaws in Fireware OS suggest either a concentrated security research effort targeting WatchGuard specifically, or the emergence of a new threat actor group specializing in perimeter device exploitation. The convergence of WatchGuard and Fortinet exploitation by overlapping attacker infrastructure (the shared IP 199.247.7.82) indicates a broader campaign against edge networking equipment from multiple vendors. This reflects a strategic shift by threat actors away from endpoint-centric attacks toward infrastructure-centric compromise, where a single firewall breach enables access to thousands of corporate networks simultaneously.

Historically, perimeter device vulnerabilities have a long operational window before mass exploitation. The Fortinet FortiOS CVE-2020-12812 2FA bypass, disclosed in 2020, remained actively exploited for over five years despite multiple public warnings. WatchGuard Fireware flaws have similarly persisted in operational networks for years after disclosure. The lesson is clear: organizations are slow to patch perimeter devices, either due to operational complexity (firewall restarts impact all network traffic), testing requirements, or simple neglect. Attackers have learned to exploit this inertia, targeting years-old CVEs in production networks long after patching becomes available.

The IKE protocol itself—the target of this vulnerability—represents a critical legacy technology. IKEv2 is the modern variant, standardized since 2010, yet many organizations continue running IKEv1 alongside it for backward compatibility. The protocol operates in the kernel space on many implementations, meaning a single flaw can grant code execution with the highest privilege level on the system. The complexity of IKE implementations (hundreds of states, cryptographic operations, certificate validation) creates a large attack surface for memory safety issues like out-of-bounds writes.

From a threat actor perspective, firewall compromise is the ultimate objective of many intrusions. A compromised perimeter device provides persistent network access that survives endpoint patching, user credential resets, and even operating system upgrades. Defenders inside the network often assume the firewall is trustworthy, creating a false sense of security. Attackers exploit this assumption, positioning themselves as a man-in-the-middle for all VPN traffic, exfiltrating sensitive data, intercepting credentials, and deploying secondary payloads into the corporate network with minimal detection risk.

The geographic spread of vulnerable instances (117,490 globally) reflects both the popularity of WatchGuard in small-to-medium enterprises and the generally poor patch adoption rates in that segment. Smaller organizations often lack dedicated security teams to manage perimeter devices, treating them as “set and forget” appliances. These organizations are ideal targets for commodity exploitation campaigns, as discovery is trivial (public scanning databases), exploitation is automated, and post-compromise detection is minimal.

Official Advisories & Technical Analysis:

Vulnerability & Configuration Details:

  • CVE-2025-14733 CVSS 9.3 – Out-of-bounds write in iked (IKE daemon) process affecting Fireware 2025.1, 12.x, 12.5.x (T15/T35), and 12.3.1 FIPS releases. Unauthenticated remote code execution via specially crafted IKEv2 packets.
  • Affected Fireware Versions (Vulnerable & Patched):
    • 2025.1 – Vulnerable, fixed in 2025.1.4
    • 12.11.x – Vulnerable, fixed in 12.11.6
    • 12.5.x (T15/T35) – Vulnerable, fixed in 12.5.15
    • 12.3.1 (FIPS) – Vulnerable, fixed in 12.3.1_Update4 (B728352)
    • 11.x (11.10.2-11.12.4_Update1) – End-of-Life, no patch available
  • Vulnerable VPN Configurations: Mobile user VPN with IKEv2, branch office VPN (BOVPN) with IKEv2 and dynamic gateway peer. Legacy configurations (previously deleted VPNs) may retain vulnerability if any BOVPN to static peer is still configured.
  • Active Attacker IP Addresses:
    • 45.95.19.50
    • 51.15.17.89
    • 172.93.107.67
    • 199.247.7.82 (also linked to concurrent Fortinet FortiOS CVE-2025-59718 & CVE-2025-59719 exploitation)
  • Indicators of Compromise: Log messages “Received peer certificate chain is longer than 8…”, IKE_AUTH payloads >2000 bytes, iked process hangs/crashes, unexpected fault reports in device logs.
  • Geographic Exposure (CVE-2025-14733): 117,490 total instances exposed; 35,600 United States, 13,000 Germany, 11,300 Italy, 9,000 United Kingdom, 5,800 Canada, ~43,000 distributed across remaining countries.

Related Threat Context:

Detection & Response Resources: Organizations are advised to subscribe to WatchGuard security advisories, implement Shadowserver CVE-2025-14733 alert feeds for real-time vulnerable instance discovery within their networks, cross-reference firewall logs against the four confirmed attacker IPs, and conduct immediate inventory of all Fireware instances to identify patch status. Federal agencies must complete remediation by December 26, 2025, per CISA mandate. Commercial organizations should target completion within 30 days given active exploitation confirmed in the wild.