Attackers are compromising WatchGuard firewalls right now and they don't even need credentials to do it.

CVE-2025-14733 landed in CISA's Known Exploited Vulnerabilities catalog on December 19th, and we've been digging into this one since the advisory dropped. If your organization runs WatchGuard Firebox appliances with IKEv2 VPN enabled, you’ll probably want to read this.

Why This Vulnerability Matters

An unauthenticated attacker can send specially crafted IKEv2 packets to UDP port 500 to create a denial-of-service condition or potentially execute arbitrary code. No credentials. No user interaction. No prior access required.

That's CVE-2025-14733 in a nutshell: we’ve got a pre-authentication vulnerability with the potential for RCE in WatchGuard Fireware OS carrying a CVSS score of 9.8 (Critical) on our hands right before the holidays. Every Fireware version prior to 12.11.6 is vulnerable, and WatchGuard has confirmed active exploitation in the wild. Threat intelligence ties the activity to known malicious infrastructure.

This isn't theoretical. This is happening.

What We Can Confirm Right Now

We've been pulling apart firmware images and tracing execution paths since this dropped. Here's where our research stands:

The Vulnerability is Real and Exploitable

We believe the root cause lives in the iked daemon's certificate processing logic. When handling IKEv2 authentication, the daemon copies certificate data into a stack buffer without adequate bounds checking. Supply more data than the buffer can hold, and you're overwriting critical stack values. Classic overflow territory.

We've validated this through binary analysis. CISA's KEV catalog addition confirms threat actors have already begun attacking organizations in the wild. Luckily, it seems that the stack canaries added in response to CVE-2025-9242 help mitigate impact from what we’ve found so far.

Denial of Service is Confirmed

We can reliably crash the IKE daemon with malformed packets. VPN services drop. The daemon restarts automatically, but sustained attacks can maintain the disruption. We've reproduced this consistently in our lab environment.

Remote Code Execution in the Wild

Per CISA and WatchGuard's advisory, threat actors may achieved RCE through this vulnerability. We've confirmed the technical conditions that make code execution possible. Our research into weaponization specifics is ongoing.

Relationship to CVE-2025-9242

If you followed WatchTowr Labs' disclosure of CVE-2025-9242 earlier this year, this will look familiar. It seems to be the same root cause - unchecked memory copies in IKEv2 processing but different code paths and payloads.

What You Should Do Today

Immediate: Find Out If You're Exposed

We built a scanner for this. It identifies vulnerable WatchGuard devices through standard IKEv2 negotiation. The tool extracts version information from vendor ID payloads to tell you exactly where you stand without attempting exploitation:

# Scan a single host
python3 scan_watchguard_ike.py 192.168.1.1

# Scan a network range
python3 scan_watchguard_ike.py 10.0.0.0/24 -o results.json

# Show only vulnerable devices
python3 scan_watchguard_ike.py -f targets.txt -q

Example output:

[*] Sprocket Security - WatchGuard IKEv2 Scanner - CVE-2025-14733 Detection
[*] Scanning 1 host(s) on port(s) [500, 4500] (2 total probes)

[+] 192.168.0.125:500 - WatchGuard IKEv2 v12.11.4 (VULNERABLE)

[*] Scan complete:
    Hosts scanned: 1
    WatchGuard devices: 1
    Potentially vulnerable: 1

It checks both UDP 500 and 4500 (NAT-T) by default and handles WatchGuard's base64-encoded version strings correctly. Run it against your perimeter to know what you're dealing with. If you’re already a Sprocket Security customer, don’t worry, we have you covered and have already begun scanning our clients.

You can find that Python3 script here.

Priority: Update to Fireware 12.11.6+

This is the only complete remediation. Full stop.

The patch adds additional validation to prevent the vulnerable code path from being reached. Combined with the stack canaries that were introduced in 12.11.4, this provides defense-in-depth protection.

If you can't patch immediately, these mitigations buy time (but they're not solutions):

  • Disable IKEv2 Mobile VPN if you're not actively using it. No IKEv2, no attack surface.
  • Restrict UDP 500/4500 access to known, trusted IP ranges. Most organizations don't need these ports open to the entire internet.
  • Monitor for iked crashes in system logs. Repeated crashes could indicate someone probing your devices.
  • Check WatchGuard's IoC list for connections to the known malicious infrastructure.

Detection: What to Watch For

WatchGuard's advisory gives us specific indicators. If you're hunting for exploitation attempts:

  • IKE_AUTH requests with abnormally large CERT payloads (>2000 bytes)
  • Certificate chains exceeding 8 certificates—that's not normal traffic
  • Connections from: 45.95.19.50, 51.15.17.89, 172.93.107.67, 199.247.7.82
  • Repeated iked process crashes or restarts (check your logs)

For Our Continuous Penetration Testing Clients

We've already started scanning our clients for CVE-2025-14733 inside and out. If you're running WatchGuard appliances with IKEv2 enabled, you’ll see those results come into the portal as our efforts uncover them.

If you’re not a Continuous Penetration Testing client but you’d like to see how we can help, please reach out to us here.

What Comes Next

We're still digging into this one. There's more to learn, and we'll update this post as our research progresses.

The core takeaway doesn't change: exploitation is confirmed in the wild, and the only reliable mitigation is patching to 12.11.6 or later. Don't wait on this one.

References