Threat Actors Exploit Zero-Day in WatchGuard Firebox Devices

Firebox Devices Under Fire

A zero-day vulnerability in WatchGuard Firebox firewalls, tracked as CVE-2025-14733, is being actively exploited, joining a recent wave of attacks targeting edge devices. CISA added the vulnerability to its KEV catalog on December 23rd, 2025, emphasizing its critical nature.

Ideal network security models assume rapid patching and comprehensive visibility, but in reality, many organizations struggle to apply updates quickly, leaving them exposed to zero-day exploits. The scale of potentially compromised devices – over 125,000 globally – highlights the significant risk and potential cost associated with delayed patching.

Key Insights

• CVE-2025-14733, December 2025: Critical out-of-bounds write in WatchGuard Fireware OS enabling remote code execution.
• Edge Device Targeting: A recent trend demonstrating attackers are focusing on perimeter security appliances (Fortinet, SonicWall, WatchGuard).
• IKED Process Hang: Exploitation of CVE-2025-14733 causes the IKED process to hang, disrupting VPN tunnel negotiations.

Practical Applications

• Use Case: Organizations relying on WatchGuard Firebox for VPN connectivity are at immediate risk and must prioritize patching.
• Pitfall: Delaying patching due to perceived disruption can lead to significant security breaches and data loss.

References:

• https://www.darkreading.com/vulnerabilities-threats/threat-actors-zero-day-watchguard-firebox