WatchGuard Firebox OS forced to patch worrying security flaw, so update now

1. Pro
2. Security

WatchGuard Firebox OS forced to patch worrying security flaw, so update now News By Sead Fadilpašić published 22 December 2025

The firewall maker found a critical RCE

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: Getty Images) Share Share by:

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Threads

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google

• WatchGuard patches critical RCE flaw (CVE‑2025‑14733) in Firebox firewalls, being actively exploited in the wild
• CISA added it to KEV; federal agencies must patch or stop use by December 26
• Workarounds include disabling dynamic peer BOVPNs and tightening firewall policies until fixes are applied

WatchGuard has patched a critical-severity zero-day vulnerability in its Firebox firewalls, and urged all users to apply the fix immediately.

In a new security advisory, the company said firewalls running Fireware OS 11.x and later, 12.x and later, and 2025.1 up to (and including) 2025.1.3, contained an out-of-bounds write vulnerability that allowed unauthenticated attackers to execute arbitrary code, remotely (RCE). This vulnerability affects both the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer.

The flaw is now tracked as CVE-2025-14733, and was given a severity score of 9.3/10 (critical). WatchGuard said it has seen threat actors “actively attempting to exploit” the vulnerability in the wild, but did not discuss which groups were using it, or against whom.

You may like

• Worrying WatchGuard VPN bug could let hackers hijack your devices - here's how to stay safe
• Around 50,000 Cisco firewalls are vulnerable to attack, so patch now
• SonicWall tells customers to patch SonicOS flaw allowing hackers to crash firewalls

CISA adds the bug to KEV

Those that cannot apply the fix immediately can work around the issue by disabling dynamic peer BOVPNs, adding new firewall policies, and disabling the default system policies that handle VPN traffic.

At the same time, the US Cybersecurity and Infrastructure Security Agency (CISA) added the RCE flaw to its Known Exploited Vulnerabilities (KEV) catalog, giving all Federal Civilian Executive Branch (FCEB) agencies just a one-week deadline to patch up or stop using vulnerable Firebox firewalls entirely.

The entry was added on December 19, with the due date being December 26.

A few months ago, WatchGuard patched a similar RCE bug in its Firebox firewalls, BleepingComputer reported. In October 2025, internet watchdog Shadowserver said there were more than 75,000 exposed instances, with the majority being located in North America, and Europe. This vulnerability, too, was added to CISA’s KEV a few weeks later.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

WatchGuard Technologies is a global cybersecurity company that serves more than 250,000 customers worldwide across small and midsize enterprises, MSPs, and other organizations.

Via BleepingComputer

The best antivirus for all budgetsOur top picks, based on real-world testing and comparisons

➡️ Read our full guide to the best antivirus1. Best overall:Bitdefender Total Security2. Best for families:Norton 360 with LifeLock3. Best for mobile:McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead FadilpašićSocial Links Navigation

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Show More Comments

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Logout Read more Worrying WatchGuard VPN bug could let hackers hijack your devices - here's how to stay safe    Around 50,000 Cisco firewalls are vulnerable to attack, so patch now    SonicWall tells customers to patch SonicOS flaw allowing hackers to crash firewalls    Fortinet customers told to update immediately following major security issue - here's what we know    CISA warns exploited Cisco flaws are a serious risk, so patch now    Fortinet admits it found another worrying zero-day being exploited in attacks    Latest in Security HPE tells customers to patch OneView immediately as top-level security flaw spotted    Motherboards from Gigabyte, MSI, ASUS, ASRock at risk from new UEFI flaw attack - here's what we know    Trump’s new $900 billion Pentagon funding plan includes ‘enhanced cybersecurity protections’ for Cyber Command - here’s what we know    Amazon is reportedly being deluged with North Korean job applicants eager to break inside its walls    NHS England tech provider reveals data breach - DXS International hit by ransomware    Eurostar chatbot security flaws almost left customers exposed to possible security threats    Latest in News Large External SSDs are now cheaper than internal ones as 4TB SATA SSD face extinction due to negligible price difference    Mullvad VPN boosts WireGuard speeds and stability with new Rust-based engine    This gift-wrapping robot is quite funny, actually    Federal judge blocks Louisiana’s social media age verification law – here's why    'We put the most pressure on ourselves' — Tomb Raider studio head on remaking one of the most iconic games of all time    Watch out – RAM rip-offs are now in vogue, so here's how to avoid them    LATEST ARTICLES

1. 1Gemini 3 Flash is smart — but when it doesn’t know, it makes stuff up anyway
2. 2Watch out, Nvidia - Qualcomm acquires Alphawave Semi in latest addition to its AI data center push
3. 3TechRadar Gaming's favorite gaming devices of 2025: personal picks from all the year's gear
4. 4Large External SSDs are now cheaper than internal ones as 4TB SATA SSD face extinction due to negligible price difference
5. 5Arm sheds billions in market capitalization after Qualcomm hints at RISC-V adoption with Ventara Micro acquisition