125,000 WatchGuard Firewalls Vulnerable to Remote Attacks | eSecurity Planet

125,000 WatchGuard Firewalls Vulnerable to Remote Attacks

A critical zero-day flaw is being actively exploited to remotely compromise more than 125,000 WatchGuard Firebox firewalls.

Written By
Ken Underhill
Ken Underhill
Dec 22, 2025
3 minute read
eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Security researchers have identified a critical zero-day vulnerability exposing more than 125,000 WatchGuard Firebox firewall devices to remote compromise.

The flaw is already being exploited in the wild, giving attackers a direct path to take over unpatched devices.

“Threat actors are attempting to exploit this vulnerability as part of a wider attack campaign against edge networking equipment and exposed infrastructure from multiple vendors,” said WatchGuard in its advisory.

Inside the WatchGuard Firebox Vulnerability

CVE-2025-14733 stems from an out-of-bounds write vulnerability in the iked process, the Fireware OS component responsible for negotiating IKEv2 VPN key exchanges. 

During IKEv2 negotiation, the firewall parses multiple attacker-controlled fields as part of establishing a secure tunnel. 

Due to insufficient bounds checking when handling specific payload data, a specially crafted request can cause the process to write data beyond allocated memory boundaries.

This type of memory corruption flaw is especially dangerous in security appliances because it can allow attackers to overwrite critical memory structures, ultimately leading to arbitrary code execution in a privileged context. 

In practical terms, a successful exploit gives attackers the ability to run commands directly on the firewall itself.

Attacks can be launched remotely over the network, require no authentication, and do not depend on user interaction. Any Firebox device exposing IKEv2 VPN services to the internet is therefore a viable target. 

This combination makes the flaw particularly attractive for large-scale scanning and automated exploitation campaigns.

The vulnerability specifically affects environments using IKEv2 for mobile user VPN access and branch office VPN tunnels with dynamic gateway peers. 

In these configurations, attackers can trigger the vulnerable code path simply by sending malicious IKEv2 negotiation traffic to the device. 

Because the attack occurs before authentication completes, traditional access controls provide no protection.

WatchGuard also highlighted a particularly dangerous “zombie configuration” risk. 

Even if administrators remove or disable vulnerable IKEv2 VPN settings after patching, compromised devices may remain exposed if branch office VPN tunnels with static gateway peers are still present. 

In these cases, an attacker who previously exploited the flaw may retain persistence or access paths that survive configuration changes. As a result, partial remediation efforts may provide a false sense of security.

This incident follows a familiar pattern. The Shadowserver Foundation noted that earlier this year it identified more than 75,000 Firebox devices exposed to a separate critical vulnerability. 

How to Mitigate the WatchGuard Firebox Risk

Effective response requires a combination of immediate patching, configuration hygiene, and heightened monitoring to reduce risk and detect potential intrusion. 

  • Immediately upgrade all WatchGuard Firebox devices to patched Fireware versions and fully replace any appliances running end-of-life firmware.
  • Restrict or temporarily disable IKEv2 VPN services where not required, and limit VPN access to known, trusted IP ranges whenever possible.
  • Audit all VPN configurations to identify lingering or indirect IKEv2 settings, including static branch-office tunnels that may create “zombie” exposure.
  • Monitor firewall and VPN logs for indicators of compromise, including certificate chain anomalies, oversized IKE_AUTH payloads, and unusual negotiation activity.
  • Investigate known malicious IP addresses associated with exploitation attempts and increase network-level monitoring around VPN traffic.
  • Assume potential device compromise by rotating locally stored credentials, validating configurations post-patch, and isolating firewall management interfaces from the public internet.

Addressing this risk effectively requires prompt action and consistent operational discipline. 

By combining timely patching with careful configuration review and ongoing monitoring, organizations can reduce exposure and limit the blast radius. 

Advertisement

Rising Threat to Perimeter Security

This incident underscores a broader and ongoing shift in attacker strategy toward edge infrastructure, where a single, well-placed vulnerability can grant immediate and disproportionate access to enterprise environments. 

Firewalls, VPN gateways, and remote access devices sit at the boundary between internal networks and the internet, making them both exposed and trusted. 

When these systems are compromised — due to delayed patching or configuration sprawl — attackers can bypass downstream security controls, establish persistence, and move laterally with minimal resistance.

The growing focus on edge infrastructure by attackers highlights the risks of implicit trust and is driving organizations to rethink traditional security models.

Ken Underhill

Ken Underhill is an award-winning cybersecurity professional, bestselling author, and technology leader with more than 25 years of experience in IT, cybersecurity, and risk management. His career spans network administration, incident response, penetration testing, and entrepreneurship, giving him firsthand experience helping organizations reduce risk and ensure compliance. Ken is also a former nurse and combat medic and he uses this background to break down complex cybersecurity topics into digestible content for a broad, global audience. A multi-exit cybersecurity founder, Ken has spent decades helping organizations strengthen their security posture, manage risk, and navigate complex technology challenges. His expertise includes overall cybersecurity strategy, cloud security, incident response, risk management, security awareness, and emerging threats affecting businesses. Ken is also an advisor to multiple startups on AI security and risk. In addition to his hands-on industry experience, Ken is a cybersecurity newsletter writer for TechnologyAdvice, where he covers cybersecurity news/trends and actionable best practices for business and IT professionals. Ken is also an educator with over 2 million people going through his courses over the years. He has won the Global Cybersecurity 40 under 40 (2x winner), the Cyber Champion award from Women's Society of Cyberjutsu, and the 2019 SC Media award for Outstanding Educator. Ken is also a volunteer with organizations like Minorities in Cybersecurity, Black Girls Hack, and the Whole Cyber Human Initiative, which helps veterans transition into security careers. Ken holds a Master of Science in Cybersecurity and Information Assurance from Western Governors University and a Bachelor of Science in Information Systems, with a major in Cybersecurity Management, from Strayer University. His certifications include the Certificate of Cloud Security Knowledge (CCSK), Certified Ethical Hacker (CEH), and Computer Hacking Forensic Investigator (CHFI) and he is a former adjunct professor of Digital Forensics. Ken also had a streaming cybersecurity television show from 2020-2022 that reached over 200K monthly viewers around the world. His work and expertise have been featured in Forbes, Reader's Digest, Medium, TechRepublic, Fox, NBC, CBS, Dark Reading, MSN Money, and other leading publications and media outlets, making him a trusted voice on cybersecurity, election security, and privacy.

eSecurity Planet Logo

eSecurity Planet is a leading resource for IT professionals at large enterprises who are actively researching cybersecurity vendors and latest trends. eSecurity Planet focuses on providing instruction for how to approach common security challenges, as well as informational deep-dives about advanced cybersecurity topics.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.