Nearly 120,000 WatchGuard Firebox firewalls remain unpatched and exposed to a critical vulnerability that is already being exploited by hackers, according to data from the Shadowserver Foundation.
The flaw, tracked as CVE-2025-14733, carries a severe CVSS score of 9.3 out of 10. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has already issued an emergency
warning, adding the bug to its Known Exploited Vulnerabilities catalog and setting a strict December 26 deadline for federal agencies to secure their systems.
Technical Details of the Threat
The vulnerability is an out of bounds write flaw located in the iked process of the WatchGuard Fireware OS. This process handles the negotiation of VPN connections. By sending specifically crafted, malicious messages to an exposed device, an unauthenticated attacker can trigger the flaw to execute arbitrary code with root privileges.
The risk is highest for devices configured with:
- Mobile user VPNs using IKEv2.
- Branch office VPNs using IKEv2 with a dynamic gateway peer.
WatchGuard has noted a specific danger regarding "zombie configurations." Even if an administrator deletes these vulnerable settings, a device may remain at risk if it still maintains a branch office VPN to a static gateway peer.
Scope of Exposure
While the number of vulnerable devices dropped slightly from 125,000 to roughly 117,500 on December 21, the geographical spread remains broad. The highest concentrations of unpatched firewalls are in:
- United States: 35,600
- Germany: 13,000
- Italy: 11,300
- United Kingdom: 9,000
- Canada: 5,800
Indicators of Attack and Mitigation
A primary indicator that a device is being targeted is the iked process hanging, which disrupts VPN negotiations and re-keys. WatchGuard has also identified several malicious IP addresses used by attackers for reconnaissance and command and control.
To secure your infrastructure, administrators should:
- Upgrade immediately to the latest version of Fireware OS.
- Audit VPN configurations for residual IKEv2 dynamic gateway settings.
- Rotate all locally stored secrets if there is any evidence of compromise.
- Monitor logs for unusually large payloads or connection attempts from known malicious IPs.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
