WatchGuard Patches Actively Exploited Critical Fireware OS Vulnerability (CVE-2025-14733) WatchGuard has released emergency patches for a critical security flaw in Fireware OS (CVE-2025-14733, CVSS 9.3) that has been exploited in real-world attacks. The vulnerability, an out-of-bounds write in the iked process, allows remote unauthenticated attackers to execute arbitrary code on affected systems. The flaw impacts Fireware OS configurations using IKEv2 for mobile user VPNs or branch office VPNs (BOVPNs) with dynamic gateway peers. Even if these configurations were later deleted, devices may remain vulnerable if a BOVPN with a static gateway peer is still active. Affected versions include: - 2025.1 (fixed in 2025.1.4) - 12.x (fixed in 12.11.6) - 12.5.x (T15 & T35 models) (fixed in 12.5.15) - 12.3.1 (FIPS-certified) (fixed in 12.3.1_Update4) - 11.x (11.10.2–11.12.4_Update1) (end-of-life, no patch available) WatchGuard confirmed active exploitation attempts, with attacks traced to the IP address 199.247.7[.]82—the same address linked to recent Fortinet FortiOS vulnerabilities (CVE-2025-59718, CVE-2025-59719). Indicators of compromise (IoCs) include: - Logs showing rejected IKE2 certificate chains exceeding 8 certificates. - IKE_AUTH requests with abnormally large CERT payloads (>2000 bytes). - iked process crashes or hangs, disrupting VPN connections. This disclosure follows CISA’s addition of another critical WatchGuard flaw (CVE-2025-9242, CVSS 9.3) to its Known Exploited Vulnerabilities (KEV) catalog last month, though no direct link between the two campaigns has been established. As a temporary mitigation, administrators can disable dynamic peer BOVPNs, restrict access to static IP peers via firewall policies, and disable default VPN traffic policies. Patches should be applied immediately to mitigate risk.

A critical vulnerability (CVE-2025-9242, CVSS 9.3) in WatchGuard Firebox network security appliances exposes 75,835+ devices globally, primarily in the U.S., Germany, and Europe. The flaw—an out-of-bounds write in the Fireware OS ‘iked’ process—allows unauthenticated remote code execution via malicious IKEv2 VPN packets. Affected versions (11.10.2–11.12.4_Update1, 12.0–12.11.3, 2025.1) lack patches unless upgraded to 2025.1.1, 12.11.4, or 12.5.13. End-of-life 11.x versions remain permanently vulnerable. While no active exploitation is confirmed, the flaw enables attackers to bypass authentication, execute arbitrary code, and potentially compromise internal networks protected by these appliances. Organizations relying on Firebox for VPN gateways, traffic filtering, or cloud security face heightened risk of lateral movement, data exfiltration, or full system takeover if unpatched. Shadowserver Foundation’s scans confirm the exposure is not honeypots, urging immediate patching or mitigation via IPSec/IKEv2 hardening for static gateways.

WatchGuard Patches Critical Privilege-Escalation Flaw in Mobile VPN IPSec Client for Windows WatchGuard has issued a security advisory addressing a significant privilege-escalation vulnerability (WGSA-2026-00002 / NCPVE-2025-0626) in its Mobile VPN with IPSec client for Windows, which could allow local attackers to execute arbitrary commands with SYSTEM-level privileges. The flaw stems from underlying software technology provided by NCP Engineering and affects the installation management process, enabling attackers to bypass administrative protections. The vulnerability manifests during installation, updates, or uninstallation of the software, where the MSI installer launches command-line windows (cmd.exe) running under the SYSTEM account the highest privilege level in Windows. On older Windows versions, these command prompts are interactive, allowing attackers to interrupt the process, interact with the open prompt, and execute malicious commands with inherited SYSTEM rights. While the CVSS score is 6.3 (Medium), the impact metrics rate Confidentiality, Integrity, and Availability as High, indicating a full system compromise if exploited. The flaw affects WatchGuard Mobile VPN with IPSec client versions up to and including 15.19. No workarounds exist, and remediation requires upgrading to version 15.33 or higher, which modifies installer behavior to prevent exposure of elevated command prompts. Organizations using legacy Windows systems are at heightened risk due to the interactive nature of the vulnerability. WatchGuard and NCP Engineering have released the patch to address the issue.

WatchGuard disclosed CVE-2025-9242, a critical remote code execution (RCE) vulnerability in its Firebox firewalls due to an out-of-bounds write flaw in the iked process (IKEv2 VPN component). The vulnerability allows unauthenticated attackers to execute arbitrary code on affected devices, even if previously vulnerable configurations (mobile user VPN or dynamic gateway peer BOVPN) were deleted—if a static gateway peer BOVPN remains active. The flaw impacts Fireware OS 11.x (EOL), 12.x, and 2025.1, with patches released in versions 12.3.1_Update3, 12.5.13, 12.11.4, and 2025.1.1. Over 250,000 SMBs using WatchGuard’s firewalls (models: T15 to M690, Firebox Cloud, FireboxV, etc.) are at risk. While no active exploitation is reported, the vulnerability poses a severe threat, as firewalls are prime targets for ransomware groups (e.g., Akira exploiting SonicWall’s CVE-2024-40766). CISA previously mandated patches for a similar WatchGuard flaw (2022) exploited in attacks. Unpatched systems risk full device compromise, enabling lateral movement, data exfiltration, or ransomware deployment. WatchGuard provided a temporary workaround (disabling dynamic BOVPNs, modifying firewall policies) but urges immediate patching to prevent potential supply-chain attacks or mass exploitation by threat actors.