Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
A critical zero-day vulnerability, identified as CVE-2025-14733, has left network administrators on their knees, forcing them into a race against time to secure their systems.
This flaw, with a CVSS score of 9.3 found on WatchGuard firewalls, is truly dangerous: it allows unauthenticated attackers to execute arbitrary code and take control of corporate firewalls.
And the fact that threat actors are already attempting to exploit this vulnerability only adds to the alarm. So, let’s take a closer look at what’s happening and how this vulnerability can be exploited by attackers.
The iked process, which handles IKEv2 (Internet Key Exchange) negotiations for VPNs, has a vulnerability that allows it to be exploited to perform unexpected operations. Remote attackers can cause an “Out-of-bounds Write” error, which leads to memory corruption . This flaw allows attackers to influence system behavior.
By sending specially crafted malicious packets to the firewall’s VPN interface, an attacker can block the service or, worse, inject their own commands with system-wide privileges.
What makes this vulnerability particularly insidious is its persistence. It targets mobile VPN and branch office VPN configurations using IKEv2. However, simply disabling the feature may not be enough.
The advisory warns of a “zombie” configuration scenario: “If the Firebox was previously configured with the mobile user VPN with IKEv2… and both configurations were subsequently deleted, the Firebox may still be vulnerable if a branch office VPN to a static gateway peer is still configured.”
WatchGuard has released specific indicators of attack (IoAs) to help defenders determine if they’re already under attack. Attackers leave fingerprints in logs. One telltale sign of an exploit attempt is an unusually large certificate payload.
Additionally, the following IP addresses have been directly linked to the active exploitation campaign: 45.95.19[.]50, 51.15.17[.]89, 172.93.107[.]67, 199.247.7[.]82. The vulnerability affects a wide range of Fireware OS versions, including 12.x and 2025.1. WatchGuard has released patched versions (2025.1.4, 12.11.6, and 12.5.15) and urges immediate updates.
However, patching the software is only the first step. Since the flaw allows for complete compromise of the device, a patched device could still be hiding stolen secrets.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
