WatchGuard, a leading cybersecurity company, has issued a warning to its customers regarding a critical remote code execution (RCE) vulnerability that is actively being exploited in its Firebox firewalls.

The vulnerability, identified as CVE-2025-14733, impacts firewalls running Fireware OS versions 11.x and later, including 11.12.4_Update1, 12.x and later (including 12.11.5), as well as 2025.1 up to and including 2025.1.3.

This security flaw stems from an out-of-bounds write weakness, allowing unauthenticated attackers to remotely execute malicious code on unpatched devices. The exploit can occur in low-complexity attacks that do not necessitate user interaction.

While the vulnerability primarily affects Firebox firewalls configured to use IKEv2 VPN, even if these configurations have been removed, devices may still be at risk if a branch office VPN to a static gateway peer is still in place.

WatchGuard has observed threat actors actively exploiting this vulnerability in the wild, underscoring the urgency of applying patches promptly.

For organizations unable to immediately patch vulnerable Branch Office VPN (BOVPN) configurations, WatchGuard has provided a temporary workaround. This involves disabling dynamic peer BOVPNs, implementing new firewall policies, and deactivating default system policies handling VPN traffic.

Affected Firewall Models by Product Branch

WatchGuard has shared indicators of compromise to assist customers in checking for potential breaches on their Firebox devices. If any malicious activity is detected, it is recommended to rotate all locally stored secrets on vulnerable appliances.

In a previous incident in September, WatchGuard addressed a similar RCE vulnerability (CVE-2025-9242) affecting its Firebox firewalls. Subsequently, over 75,000 vulnerable Firebox firewalls were identified by Shadowserver, with a significant concentration in North America and Europe.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) classified the CVE-2025-9242 vulnerability as actively exploited in the wild, prompting federal agencies to strengthen the security of WatchGuard Firebox firewalls.

Notably, CISA had previously instructed U.S. government agencies to patch another actively exploited WatchGuard flaw (CVE-2022-23176) that impacted Firebox and XTM firewall appliances.

WatchGuard, with a vast network of over 17,000 service providers and security resellers, safeguards the networks of more than 250,000 small and mid-sized companies globally.

Broken IAM isn’t just an IT problem – the impact ripples across your whole business.

This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what “good” IAM looks like, and a simple checklist for building a scalable strategy.

Get the guide