A zero-day vulnerability in WatchGuard Firebox firewalls is under active exploitation, marking the latest attacks against edge devices this month.
WatchGuard disclosed the vulnerability, tracked as CVE-2025-14733, on Thursday, and the Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities (KEV) catalog the following day. CVE-2025-14733 is a critical out-of-bounds write vulnerability in WatchGuard's Fireware OS that if exploited can enable remote code execution on Firebox devices.
CVE-2025-14733 affects Fireware OS version 11.10.2, including 11.12.4_Update1, version12.0 or higher, and version 2025.1 and higher. According to WatchGuard's advisory, the flaw impacts both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer.
"If the Firebox was previously configured with the mobile user VPN with IKEv2 or a branch office VPN using IKEv2 to a dynamic gateway peer, and both of those configurations have since been deleted, that Firebox may still be vulnerable if a branch office VPN to a static gateway peer is still configured," the advisory stated.
WatchGuard is the latest edge device vendor to be targeted by threat actors this month. Last week, CISA added a critical Fortinet FortiGate flaw, tracked as CVE-2025-59718, to its KEV catalog shortly after the vulnerability was discovered. Meanwhile, threat actors targeted SonicWall's SMA1000 appliances last week via the exploitation of a zero-day privilege escalation vulnerability.
Related:SonicWall Edge Access Devices Hit by Zero-Day Attacks
In a blog post Thursday, WatchGuard product manager Matthew Terry said the vulnerability was discovered through an internal investigation and urged customers to patch the flaw as soon as possible.
"Threat actors are attempting to exploit this vulnerability as part of a wider attack campaign against edge networking equipment and exposed infrastructure from multiple vendors," Terry wrote in the blog post. "Therefore, we urge you to immediately upgrade any Firebox appliances that you own or manage."
Dark Reading contacted WatchGuard for further comment regarding the exploitation activity and clarification on Terry's reference to "a wider attack campaign." WatchGuard did not respond to the questions but provided the following statement:
"On 15 December, through internal investigation, WatchGuard identified a new critical Fireware OS vulnerability detailed in CVE-2025-14733 and WatchGuard Security advisory WGSA-2025-0027. A patch was quickly made available on 18 December. Since the fix became available, our partners and end-users have been actively patching affected Firebox appliances. We continue to strongly encourage timely patching as a core best practice in security hygiene.
... continue reading