Hackers attack WatchGuard Firebox firewalls: 120K IPs exposed and vulnerable
With hackers already knocking at the gates, around 120,000 WatchGuard Firebox firewalls, which protect thousands of companies, remain unpatched and vulnerable to a critical flaw, according to the latest research by the ShadowServer Foundation.
Last week, WatchGuard disclosed a critical vulnerability in Firebox firewall firmware, requiring urgent patching. Its severity (CVSS) score is rated 9.3 out of 10.
The US Cybersecurity and Infrastructure Security Agency (CISA) released an emergency warning about this bug being already exploited by threat actors. The watchdog set a tight one-week deadline for federal agencies to apply the mitigations by December 26th.
Firebox network edge devices are widely used to secure the perimeters of thousands of companies.
The ShadowServer Foundation reports that it found nearly 125,000 IP addresses with WatchGuard Firebox devices unpatched for the critical flaw, labeled CVE-2025-14733.
The number decreased to 117,500 vulnerable IPs on December 21st, 2025
Most of the vulnerable devices are in the US (35,600), followed by Germany (13,000), Italy (11,300), the United Kingdom (9,000), and Canada (5,800). Thousands more were found in other countries.
“An out-of-bounds Write vulnerability in the WatchGuard Fireware OS IKED (IKE daemon) process may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer,” the vendor explains in an advisory.
Essentially, attackers can exploit the component that negotiates VPN connections by crafting malformed messages and sending them to the devices, thereby tricking the firewalls into executing the attacker's code without authorization.
The vulnerability affects dozens of WatchGuard products with Fireware OS versions 12.5.x, 2025.1.x, and 12.x, including older and end-of-life (11.x) versions.
Attention! We are scanning & reporting WatchGuard Firebox devices unpatched to CVE-2025-14733 (Out of Bounds Write Vulnerability, unauthenticated RCE, CVSS 9.8). Nearly 125 000 IPs found (2025-12-20): dashboard.shadowserver.org/statistics/c... WatchGuard Advisory: www.watchguard.com/wgrd-psirt/a...
undefined The Shadowserver Foundation (@shadowserver.bsky.social) December 21, 2025 at 8:42 PM
[image or embed]
Threat actors have been actively attempting to exploit this vulnerability in the wild. WatchGuard listed four IP addresses directly associated with the attacks. Attackers use them to both probe for vulnerable devices, make exploitation attempts, and command and control.
“During a successful exploit, the IKED process (responsible for handling IKE negotiations) will hang, interrupting VPN tunnel negotiations and re-keys. This is a strong indicator of attack,” the vendor warned.
The Cybernews community is talking about this. Be a part of the conversation.
The companies should immediately upgrade their devices to the latest version of Fireware OS and also check for signs of compromise. In cases of compromise, administrators should rotate all locally stored secrets on vulnerable Firebox appliances.
WatchGuard also shared best practices for rotating shared secrets stored in the Firebox knowledge base article for administrators who have confirmed threat actor activity on their Firebox appliances.
Unlock more exclusive Cybernews content on YouTube.
