Attackers are actively exploiting a critical remote code execution (RCE) vulnerability in WatchGuard Firebox firewalls, tracked as CVE‑2025‑14733. Over 115,000 devices remain unpatched and exposed online, putting organizations at serious risk. Review this Cybersecurity Threat Advisory for remediation recommendations.
What is the threat?
CVE‑2025‑14733 is a critical vulnerability in the WatchGuard Fireware OS process that allows attackers to execute remote code on Firebox appliances configured for IKEv2 VPN or Branch Office VPN (BOVPN). Systems can still remain exposed if static gateway peers stay configured, even after removing vulnerable configurations.
WatchGuard has released indicators of compromise (IOCs) to help defenders identify affected devices. Exploited systems can enable attackers to steal locally stored secrets, alter firewall policies, and maintain persistent access. Shadowserver scans found over 124,000 exposed Firebox instances online, with more than 117,000 still unpatched days after the advisory.
This flaw impacts Fireware OS versions 11.x and later, 12.x and later, and 2025.1 up to and including 2025.1.3.
Why is it noteworthy?
CISA has added CVE‑2025‑14733 to its Known Exploited Vulnerabilities (KEV) Catalog, requiring federal agencies to patch affected systems by December 26, 2025 under Binding Operational Directive (BOD) 22‑01. The exposure is significant—tens of thousands of unpatched Firebox firewalls remain online, creating a massive attack surface across North America, Europe, and beyond. Successful exploitations can lead to widespread compromise of VPN traffic, sensitive communications, and enterprise networks.
What is the exposure or risk?
Organizations running unpatched WatchGuard Firebox firewalls face significant risk, including interception and manipulation of secure communications via IKEv2 VPN and BOVPN configurations. Beyond direct access, adversaries can steal locally stored secrets, pivot deeper into enterprise environments, and manipulate firewall policies to maintain persistent access.
Compromised firewalls enable attackers to run command-and-control (C2) operations, exfiltrate data, and launch denial-of-service attacks, undermining both enterprise and government systems.
What are the recommendations?
Barracuda recommends the following actions to mitigate your risk:
- Apply WatchGuard’s security updates for CVE-2025-14733 across all Firebox appliances.
- Disable dynamic peer BOVPNs and IKEv2 VPN temporarily until security updates are applied.
- Add new firewall policies and disable default system policies handling VPN traffic if patching is delayed.
- Replace all locally stored credentials and secrets on vulnerable devices to prevent reuse by attackers.
- Enforce multi-factor authentication (MFA) and role-based access for VPN and firewall administration.
- Limit exposure of SOHO (Small Office/Home Office) devices, ensure management interfaces are not internet facing, and enforce strong authentication.
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.cisa.gov/news-events/alerts/2025/12/19/cisa-adds-one-known-exploited-vulnerability-catalog
- https://www.cybersecurityup.com/en/blog/2-news-cyber-security/2-news-cyber-security/2232-cve-2025-14733-su-watchguard-exploit-attivi-bucano-vpn-ikev2-e-aprono-la-rete,-patch-urgente
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.