WatchGuard Firebox Firewall RCE CVE-2025-14733

Dec 22

BLUF

A critical zero-day vulnerability in WatchGuard Firebox firewalls is being actively exploited by unauthenticated remote attackers to execute arbitrary code.

Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

For organizations affected by CVE-2025-14733 exploitation or suspected abuse:

Low-end total cost: $600,000 – $900,000
(Rapid patching, no chaining, limited exposure)
Typical expected range: $1.1M – $1.8M
Upper-bound realistic scenarios: $2.3M – $3.2M
(Extended assurance effort, regulatory engagement, and prolonged monitoring)

Key cost driver:

Costs are driven less by immediate technical remediation and more by the need to re-establish trust in perimeter controls. Executive assurance, validation of administrative integrity, and governance-level confidence dominate total spend once firewall trust boundaries are called into question.

Targeted Sectors

· Manufacturing

· Healthcare

· Financial Services

· Critical Infrastructure

· Government

Targeted Countries

· Primarily United States of America

· Global

Date of First Reported Activity

· December 22, 2025

Date of Last Reported Activity Update

· December 22, 2025

CVE-2025-14733

CVSS 3.1

· (9.3) AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.

Nessus ID

· 279436

Is CVE-2025-14733 on the KEV List

· Yes

What is the CISA Patch by Date

· December 26, 2025

Patching/Mitigation Data

What date was the patch released December 22, 2025.

URL to patch information

hxxps://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00027

Impacted versions

Fireware OS prior to 2025.1.4

Fireware OS prior to 12.11.6

Fireware OS prior to 12.5.15 (for T15 & T35 models)

Fireware OS prior to 12.3.1_Update4 (FIPS-certified release)

APT Names

· None specified

Associated Criminal Organization Names

· None specified

IOCs

Log messages

· A log entry stating

o "Received peer certificate chain is longer than 8. Reject this certificate chain" when the device receives an IKEv2 Auth payload with too many certificates.

· An IKE_AUTH request log message with an unusually large CERT payload size, typically greater than 2000 bytes.

System behavior

· The iked process (responsible for VPN key exchange) may hang and interrupt VPN connections during a successful exploit attempt.

· The iked process may crash and generate a fault report on the Firebox after an exploit attempt (either failed or successful).

· Abnormal VPN negotiation failures.

Network activity

Outbound connections to known malicious Command-and-Control (C2) infrastructure. Specific IP addresses observed in exploitation attempts include:

· 45.95.19[.]50

· 51.15.17[.]89

· 172.93.107[.]67

· 199.247.7[.]82 (this IP has also been linked to exploitation of other Fortinet vulnerabilities)Tools Used in Campaign: None specified.

TTPs

Initial Access

· T1190

o Exploit Public-Facing Application: Attackers target internet-facing WatchGuard Firebox appliances. Exploitation occurs through the iked process responsible for negotiating IKEv2 VPN tunnels.

Targeting VPN Infrastructure

The vulnerability specifically impacts configurations for Mobile User VPN with IKEv2 and Branch Office VPN using IKEv2 with dynamic gateway peers.

Execution

· T1203 – Exploitation for Client Execution: Successful exploitation of this out-of-bounds write flaw allows a remote, unauthenticated attacker to execute arbitrary code on the firewall appliance.

Remote Code Execution (RCE): The attack requires no user interaction and is described as a low-complexity attack.

Persistence & Lateral Movement

· T1098 – Account Manipulation: Once code execution is achieved, attackers may tamper with security policies or modify administrative accounts to maintain access.

· T1021 – Remote Services: Compromised firewalls are often used as pivot points to facilitate lateral movement into internal network segments.

Command and Control (C2)

· T1105 – Ingress Tool Transfer: Threat actors have been observed attempting to deploy additional malicious tooling or implants onto compromised devices after gaining initial access.

· Impact

· T1565 – Data Manipulation: Attackers can intercept or manipulate VPN traffic flowing through the compromised gateway.

· T1489 – Service Stoppage: Exploitation can lead to the panic and reload of the iked process, potentially causing a denial of service for VPN users.

Malware Names

· Nothing named in public reporting

Suggested Rules / potential hunts

These are indicator rules they are likely to be noisy.

For best results review traffic via a data model

Suricata

· Network Traffic Detection

· Large Certificate Payloads detect IKE_AUTH requests with CERT payloads exceeding 2,000 bytes.

· Excessive Certificate Chains

· Alert on peer certificate chains longer than eight

· alert udp any any -> $HOME_NET 500 (msg:"Possible CVE-2025-14733 WatchGuard IKEv2 Exploitation Attempt (Abnormal Cert Size)"; content:"|24|"; offset:0; depth:1; byte_jump:2,0,relative,BE; threshold:type limit, track by_src, count 1, seconds 60; sid:1000001; rev:1;)

SentinelOne

· Endpoint/Device Hunting

o Use SentinelOne Singularity Deep Visibility to hunt for post-exploitation behavior on connected endpoints or through ingested firewall logs.

· Anomalous Internal Connections

o Hunt for unexpected lateral movement from the WatchGuard device's internal IP.

SrcIP = "[Firewall_Internal_IP]" AND (EventType = "Network Connection" OR EventType = "Lateral Movement")

· Ingested Log Queries

o If WatchGuard logs are forwarded to SentinelOne DataSet, use queries similar to the Splunk examples above to find iked crashes or abnormal VPN authentication attempts.

Splunk

Log-Based Hunting

Monitor WatchGuard Firebox logs for specific error messages and process instability.

· Search for Specific Log Messages

index=watchguard "Received peer certificate chain is longer than 8"

index=watchguard "IKE_AUTH" "CERT payload size" > 2000

· Monitor Process Crashes

The iked process may crash or generate fault reports following successful or failed exploitation

index=watchguard "iked process crashed" OR "iked fault report"

Delivery Method

· Remote, unauthenticated network requests

o IKEv2 VPN traffic

Email Samples

· This is not applicable to this exploit

References

WatchGuard Security