CVE-2025-14733

CriticalCISA KEVActive Exploitation

Published: 19 December 2025

Published

19 December 2025

Modified

23 December 2025

KEV Added

19 December 2025

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.3358 97.0th percentile

Risk Priority 60 60% EPSS · 20% KEV · 20% CVSS

Description

An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic…

gateway peer.This vulnerability affects Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.5 and 2025.1 up to and including 2025.1.3.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the out-of-bounds write vulnerability in affected Fireware OS versions by requiring timely identification, testing, and deployment of vendor patches.

SI-16 Memory Protection partial match

prevent

Provides memory safeguards such as address space randomization and non-executable stacks that mitigate exploitation of the out-of-bounds write leading to arbitrary code execution.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Enables automated vulnerability scanning to identify systems running vulnerable Fireware OS versions exposed to CVE-2025-14733 via IKEv2.

Security SummaryAI

CVE-2025-14733 is an out-of-bounds write vulnerability (CWE-787) in WatchGuard Fireware OS that may allow a remote unauthenticated attacker to execute arbitrary code. It affects the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer. The vulnerability impacts Fireware OS versions 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.5, and 2025.1 up to and including 2025.1.3. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting critical severity due to high confidentiality, integrity, and availability impacts.

A remote unauthenticated attacker can exploit this vulnerability over the network with low complexity, no privileges, and no user interaction required. Successful exploitation enables arbitrary code execution on the affected Fireware OS device, potentially leading to full compromise of the VPN gateway.

Mitigation guidance is available in the WatchGuard PSIRT advisory at https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00027. The vulnerability is also listed in the CISA Known Exploited Vulnerabilities Catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-14733.

Published on 2025-12-19, CVE-2025-14733's presence in the CISA KEV catalog indicates real-world exploitation.

Details

CWE(s): CWE-787
KEV Date Added: 19 December 2025

Affected Products

watchguard

fireware

11.10.2 — 12.5.15 · 11.10.2 — 12.11.6 · 2025.1 — 2025.1.4

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows remote unauthenticated arbitrary code execution on a public-facing VPN gateway via IKEv2, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00027
Vendor Advisory · 5d1c2695-1a31-4499-88ae-e847036fd7e3
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-14733
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0