Full Report
WatchGuard has released fixes to address a critical security flaw in Fireware OS that it said has been exploited in real-world attacks. Tracked as CVE-2025-14733 (CVSS score: 9.3), the vulnerability has been described as a case of out-of-bounds write affecting the iked process that could allow a remote unauthenticated attacker to execute arbitrary code. "This vulnerability affects both the
Analysis Summary
# Vulnerability: Critical Out-of-Bounds Write in WatchGuard Fireware OS VPN
## CVE Details
- CVE ID: CVE-2025-14733
- CVSS Score: 9.3 (Critical)
- CWE: Out-of-Bounds Write
## Affected Systems
- Products: WatchGuard Fireware OS
- Versions:
- 2025.1 (Fixed in 2025.1.4)
- 12.x (Fixed in 12.11.6)
- 12.5.x (T15 & T35 models) (Fixed in 12.5.15)
- 12.3.1 (FIPS-certified release) (Fixed in 12.3.1_Update4 (B728352))
- 11.x (11.10.2 up to and including 11.12.4_Update1) (End-of-Life)
- Configurations: Affects devices configured with Mobile User VPN using IKEv2 or Branch Office VPN using IKEv2 with configured dynamic gateway peers. Vulnerability may persist even after configuration deletion if a static gateway peer BOVPN is still present.
## Vulnerability Description
The vulnerability is an Out-of-Bounds Write flaw residing within the `iked` process of Fireware OS. This memory corruption vulnerability can be triggered remotely by an unauthenticated attacker to achieve arbitrary code execution.
## Exploitation
- Status: Exploited in the wild
- Complexity: Low (Implied by remote, unauthenticated access required for RCE)
- Attack Vector: Network (Remote, Unauthenticated)
## Impact
- Confidentiality: High (Potential for arbitrary code execution leads to full system compromise)
- Integrity: High (Potential for arbitrary code execution leads to full system compromise)
- Availability: High (Can lead to service interruption via process hangs/crashes)
## Remediation
### Patches
Users must apply the following fixed versions:
- Fireware OS 2025.1.4
- Fireware OS 12.11.6
- Fireware OS 12.5.15 (for T15 & T35 models)
- Fireware OS 12.3.1_Update4 (B728352) (for FIPS 12.3.1)
### Workarounds
For devices with vulnerable Branch Office VPN (BOVPN) configurations, administrators are urged to:
1. Disable dynamic peer BOVPNs.
2. Create an alias that includes the static IP addresses of remote BOVPN peers.
3. Add new firewall policies that allow access only from this newly created alias.
4. Disable the default built-in policies that handle VPN traffic.
## Detection
- Indicators of Compromise (IoCs):
- Log message: "Received peer certificate chain is longer than 8. Reject this certificate chain" when the Firebox receives an IKEv2 Auth payload with more than 8 certificates.
- IKE_AUTH request log message with an abnormally large CERT payload size (greater than 2000 bytes).
- During successful exploitation: The `iked` process will hang, interrupting VPN connections.
- After failed or successful exploit: The `IKED` process will crash and generate a fault report on the Firebox.
- Detection methods and tools: Monitor firewall/VPN logs for large IKEv2 CERT payloads and subsequent `iked` process instability (hangs or crashes).
## References
- Vendor Advisory: hxxps://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00027