Over 115,000 WatchGuard Firebox devices exposed online remain unpatched against a critical remote code execution (RCE) vulnerability actively exploited in attacks.

The security flaw, tracked as CVE-2025-14733, affects Firebox firewalls running Fireware OS 11.x and later (including 11.12.4_Update1), 12.x or later (including 12.11.5), and 2025.1 up to and including 2025.1.3.

Successful exploitation enables unauthenticated attackers to execute arbitrary code remotely on vulnerable devices, following low-complexity attacks that don't require user interaction.

As WatchGuard explained in a Thursday advisory, when it released CVE-2025-14733 security updates and tagged it as exploited in the wild, unpatched Firebox firewalls are only vulnerable to attacks if configured for IKEv2 VPN. It also warned that even if vulnerable configurations are removed, the firewall may still be at risk if a Branch Office VPN (BOVPN) to a static gateway peer is still configured.

"WatchGuard Fireware OS iked process contains an out of bounds write vulnerability in the OS iked process," an NVD advisory explains. "This vulnerability may allow a remote unauthenticated attacker to execute arbitrary code and affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer."

WatchGuard has shared indicators of compromise to help customers identify compromised Firebox appliances on their network, advising those who find signs of malicious activity to rotate all locally stored secrets on vulnerable firewalls. It also provided a temporary workaround for network defenders who can't immediately patch vulnerable devices, requiring them to disable dynamic peer BOVPNs, add new firewall policies, and disable the default system policies that handle VPN traffic.

On Saturday, the Internet security watchdog group Shadowserver found over 124,658 unpatched Firebox instances exposed online, with 117,490 still exposed on Sunday.

​One day after WatchGuard released patches, CISA added CVE-2025-14733 to its Known Exploited Vulnerabilities (KEV) Catalog.

The U.S. cybersecurity agency also ordered Federal Civilian Executive Branch (FCEB) agencies (executive branch non-military agencies, such as the Department of Energy, the Department of the Treasury, and the Department of Homeland Security) to patch Firebox firewalls within a week, by December 26th, as mandated by the Binding Operational Directive (BOD) 22-01.

"This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," CISA warned. "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable."

In September, WatchGuard patched an almost identical RCE vulnerability (CVE-2025-9242) impacting Firebox firewalls. One month later, Shadowserver found over 75,000 Firebox firewalls vulnerable to CVE-2025-9242 attacks, most in North America and Europe, with CISA later tagging the security flaw as actively exploited in the wild and ordering federal agencies to secure their Firebox appliances from ongoing attacks.

Two years ago, CISA also ordered U.S. government agencies to patch another actively exploited WatchGuard flaw (CVE-2022-23176) impacting Firebox and XTM firewall appliances.

WatchGuard works with over 17,000 security resellers and service providers to protect the networks of more than 250,000 small and mid-sized companies worldwide.