WatchGuard has issued a warning to its customers regarding a severe and actively exploited remote code execution (RCE) vulnerability in its Firebox firewalls.

Designated as CVE-2025-14733, this security flaw impacts firewalls operating Fireware OS 11.x and newer (including 11.12.4_Update1), 12.x and above (up to 12.11.5), and 2025.1 versions up to inclusive of 2025.1.3.

This vulnerability arises from an out-of-bounds write error that permits unauthenticated attackers to remotely execute harmful code on devices that haven’t been updated. Exploitation requires low complexity and does not necessitate any user interaction.

Although only Firebox firewalls configured for IKEv2 VPN are directly susceptible, WatchGuard cautioned that these devices could still be vulnerable, even if the specific settings have been removed, as long as a branch office VPN linking to a static gateway peer continues to exist.

“If the Firebox was formerly set up with the mobile user VPN utilizing IKEv2 or a branch office VPN linked to a dynamic gateway peer, and those settings have been eliminated, the unit remains at risk if a branch office VPN to a static gateway peer is in place,” WatchGuard explained in a recent advisory.

“WatchGuard has documented instances of threat actors actively trying to exploit this vulnerability,” the company cautioned.

Additionally, the company has offered a temporary workaround for organizations unable to promptly update devices with vulnerable Branch Office VPN (BOVPN) configurations. This requires administrators to disable dynamic peer BOVPNs, implement new firewall policies, and deactivate default system policies managing VPN traffic.

WatchGuard disclosed indicators of compromise to assist customers in determining if their Firebox devices have been breached. It also advised those discovering signs of malicious activity to rotate any locally stored secrets on the affected devices.

In September, WatchGuard rectified another significant RCE vulnerability affecting its Firebox devices (CVE-2025-9242). A month later, the Internet watchdog Shadowserver identified over 75,000 Firebox firewalls at risk from CVE-2025-9242, predominantly in North America and Europe.

After three weeks, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) designated the flaw as actively exploited and instructed federal agencies to ensure their WatchGuard Firebox firewalls are secure against ongoing threats.

Two years back, CISA directed U.S. government entities to patch another actively exploited vulnerability in WatchGuard products (CVE-2022-23176) that impacted Firebox and XTM devices targeted by state-sponsored actors.

Today, WatchGuard collaborates with over 17,000 service providers and security resellers, safeguarding the networks of more than 250,000 small and mid-sized businesses globally.

Broken IAM isn’t merely an IT issue; its effects extend across the entire business.

This useful guide discusses why traditional IAM methods fail to meet contemporary standards, showcases what effective IAM should look like, and includes a straightforward checklist for developing a robust strategy.

Get the guide