An urgent security update has been released to fix a critical zero-day vulnerability in WatchGuard Firebox firewalls. With warnings that hackers are already actively exploiting the flaw in the wild to take control of affected devices.
The vulnerability, tracked as CVE-2025-14733, carries a critical severity score of 9.3 out of 10. It allows a remote attacker to execute malicious code on the firewall without needing a username or password.
The issue is described as an “Out-of-bounds Write” vulnerability located in the ike process, which handles VPN connections on the device.
Specifically, the flaw affects the Mobile User VPN and Branch Office VPN (when using IKEv2). It occurs when the system tries to process a connection request.
If an attacker sends a specially crafted request, they can corrupt the system’s memory and hijack the firewall.
WatchGuard noted that even after deleting a vulnerable VPN configuration, your device may remain at risk if a Branch Office VPN with a static gateway remains active.
Active 0-Day Exploitation Detected
WatchGuard confirmed they have “observed threat actors actively attempting to exploit this vulnerability.” To help administrators defend their networks, they released specific indicators of compromise (IoCs).
Suspicious IP Addresses:
Suspicious IP AddressIndicator45.95.19[.]50Strong sign of attack-related traffic51.15.17[.]89Strong sign of attack-related traffic172.93.107[.]67Strong sign of attack-related traffic199.247.7[.]82Strong sign of attack-related traffic
Administrators should check their logs for:
IndicatorDescriptionLarge Certificate PayloadsLogs show an IKE_AUTH request with a CERT size greater than 2000 bytesLong Certificate ChainsErrors report: “Received peer certificate chain is longer than 8”Process CrashesThe iked process suddenly hangs or crashes, which may signal an exploit attempt
WatchGuard has released software updates to fix the issue. Admins should upgrade to the following versions immediately:
Current Fireware OS VersionRecommended Upgrade VersionFireware OS 2025.1Upgrade to 2025.1.4Fireware OS 12.xUpgrade to 12.11.6Fireware OS 12.5.x (T15/T35)Upgrade to 12.5.15
If you find evidence that your device was targeted, simply installing the patch is not enough. WatchGuard recommends rotating all shared secrets (passwords and keys) stored on the device, as attackers may have stolen them.
AI-Powered ISO 27001, SOC 2, NIST, NIS 2, and GDPR Compliance Checklist => Start for Free
The post WatchGuard 0-day Vulnerability Exploited in the Wild to Hijack Firewalls appeared first on Cyber Security News.
