WatchGuard has confirmed active exploitation of a critical vulnerability in Fireware OS that enables remote, unauthenticated code execution through specific IKEv2 VPN configurations. Tracked as CVE-2025-14733 and rated 9.3 on the CVSS scale, the flaw affects the iked process responsible for VPN key exchange.

The issue is particularly concerning because systems may remain vulnerable even after certain VPN configurations are removed. WatchGuard has released patches across multiple supported Fireware OS versions and published indicators of compromise (IoCs) to help organizations assess exposure.

Fireware OS powers WatchGuard Firebox appliances, which are widely deployed in enterprise and mid-market networks for perimeter security and VPN connectivity. IKEv2-based VPNs are commonly used for both mobile user access and branch-to-branch connectivity, making flaws in this area especially high impact.

The disclosure follows a broader trend of threat actors aggressively targeting edge security devices, exploiting VPN and firewall vulnerabilities to gain initial access to internal networks.

WatchGuard identified real-world exploitation attempts against Fireware OS appliances involving malformed IKEv2 authentication payloads. The attacks originate from multiple IP addresses and target devices configured for IKEv2 VPNs using dynamic gateway peers.

Notably, WatchGuard warns that Fireboxes may still be exploitable even if vulnerable VPN configurations were previously deleted, provided certain related VPN settings remain active.

CVE-2025-14733 is an out-of-bounds write vulnerability in the iked process. A remote attacker can send a specially crafted IKEv2 packet containing an abnormally large certificate chain, triggering memory corruption.

Observable behaviors during exploitation include:

Successful exploitation can lead to arbitrary code execution with system-level privileges, giving attackers a foothold on the firewall appliance itself.

A compromised Firebox places the entire protected network at risk. Attackers could intercept traffic, pivot into internal systems, disable security controls, or establish long-term persistence at the network edge.

The reuse of infrastructure previously associated with Fortinet exploitation suggests potential overlap in attacker tooling or coordinated scanning across vendors.

Edge devices remain prime targets because they sit outside traditional endpoint detection coverage and often expose complex protocols to the internet. VPN services, in particular, continue to be abused as entry points for espionage, ransomware, and long-term access operations.

This vulnerability reinforces the importance of timely patching and configuration hygiene for perimeter security systems.

WatchGuard advises administrators to immediately apply patched versions of Fireware OS and review IoCs for signs of compromise. As a temporary mitigation, organizations with vulnerable Branch Office VPN setups are urged to disable dynamic peer configurations and restrict VPN access using explicit IP allowlists.

CISA has separately emphasized the urgency of addressing actively exploited firewall vulnerabilities, underscoring the systemic risk posed by delayed remediation.