WatchGuard Firebox OS forced to patch worrying security flaw, so update now

The firewall maker found a critical RCE

News By Sead Fadilpašić published 22 December 2025

(Image credit: Getty Images) Share Share by:

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Threads

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google

• WatchGuard patches critical RCE flaw (CVE‑2025‑14733) in Firebox firewalls, being actively exploited in the wild
• CISA added it to KEV; federal agencies must patch or stop use by December 26
• Workarounds include disabling dynamic peer BOVPNs and tightening firewall policies until fixes are applied

WatchGuard has patched a critical-severity zero-day vulnerability in its Firebox firewalls, and urged all users to apply the fix immediately.

In a new security advisory, the company said firewalls running Fireware OS 11.x and later, 12.x and later, and 2025.1 up to (and including) 2025.1.3, contained an out-of-bounds write vulnerability that allowed unauthenticated attackers to execute arbitrary code, remotely (RCE). This vulnerability affects both the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer.

The flaw is now tracked as CVE-2025-14733, and was given a severity score of 9.3/10 (critical). WatchGuard said it has seen threat actors “actively attempting to exploit” the vulnerability in the wild, but did not discuss which groups were using it, or against whom.

CISA adds the bug to KEV

Those that cannot apply the fix immediately can work around the issue by disabling dynamic peer BOVPNs, adding new firewall policies, and disabling the default system policies that handle VPN traffic.

At the same time, the US Cybersecurity and Infrastructure Security Agency (CISA) added the RCE flaw to its Known Exploited Vulnerabilities (KEV) catalog, giving all Federal Civilian Executive Branch (FCEB) agencies just a one-week deadline to patch up or stop using vulnerable Firebox firewalls entirely.

The entry was added on December 19, with the due date being December 26.

A few months ago, WatchGuard patched a similar RCE bug in its Firebox firewalls, BleepingComputer reported. In October 2025, internet watchdog Shadowserver said there were more than 75,000 exposed instances, with the majority being located in North America, and Europe. This vulnerability, too, was added to CISA’s KEV a few weeks later.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors