Over 115,000 WatchGuard Firebox devices are vulnerable to a serious remote code execution (RCE) flaw that is currently being exploited in cyberattacks. This vulnerability, identified as CVE-2025-14733, affects Firebox firewalls running Fireware OS 11.x and later versions, including 11.12.4_Update1, as well as 12.x and 2025.1 up to and including 2025.1.3. Attackers can exploit this flaw to execute arbitrary code remotely without requiring user interaction, posing a significant risk to organizations worldwide.
WatchGuard Technologies issued an advisory on Thursday detailing the vulnerability and the security updates to mitigate it. They confirmed that unpatched Firebox firewalls are particularly susceptible to attacks if configured to use IKEv2 VPN. Even if these configurations are removed, devices may still be at risk if a Branch Office VPN (BOVPN) to a static gateway peer remains active. The National Vulnerability Database (NVD) reports that the vulnerability arises from an out-of-bounds write issue in the OS iked process, affecting both mobile user VPNs and branch office VPNs configured with dynamic gateway peers.
Shadowserver, an internet security watchdog, reported on Saturday that over 124,658 unpatched Firebox instances were exposed online, with 117,490 remaining vulnerable by Sunday. Following the release of patches from WatchGuard, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-14733 to its Known Exploited Vulnerabilities (KEV) Catalog. CISA has mandated that Federal Civilian Executive Branch agencies, including the Department of Energy and the Department of Homeland Security, must address the issue by December 26, 2025, in accordance with Binding Operational Directive 22-01.
“Vulnerabilities of this nature are common attack vectors for malicious cyber actors and represent substantial risks to federal enterprises,” CISA warned. The agency urged organizations to implement mitigations as instructed by vendors, adhere to applicable guidance for cloud services, or discontinue the use of vulnerable products if effective mitigations are unavailable.
This is not the first time WatchGuard has faced such challenges. In September, the company addressed a similar RCE vulnerability, CVE-2025-9242, which also affected Firebox firewalls. Following this, Shadowserver identified over 75,000 vulnerable devices, primarily in North America and Europe. CISA subsequently classified this security flaw as actively exploited and ordered federal agencies to secure their Firebox appliances.
In 2021, CISA had also mandated U.S. government agencies to patch another actively exploited flaw, CVE-2022-23176, affecting both Firebox and XTM firewall appliances. WatchGuard Technologies collaborates with over 17,000 security resellers and service providers, safeguarding the networks of more than 250,000 small and mid-sized companies globally.
With the escalating cyber threat landscape, organizations are urged to prioritize cybersecurity measures and ensure that their systems are updated to prevent exploitation of such vulnerabilities.







































