CVE-2025-14733: Zero-Day IKEv2 Flaw Enabling Remote WatchGuard Firewall Takeover

Aegiron 9 mins0

Vulnerability Summary

Vulnerability Name: Out-of-Bounds Write in iked Process
CVE ID: CVE-2025-14733
CVSS v3.1 Score: 9.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: Critical
Exploitability: Network-based, remote, unauthenticated, no user interaction
CWE Classification: CWE-787 (Out-of-bounds Write)
Affected Service: IKEv2 VPN (iked daemon)
Active Exploitation: Confirmed in the wild since December 18, 2025

Executive Overview

CVE-2025-14733 is a critical memory corruption vulnerability in WatchGuard Fireware OS affecting the Internet Key Exchange daemon (iked), which handles IKEv2 VPN negotiations. The flaw allows remote, unauthenticated attackers to execute arbitrary code with full system privileges by sending specially crafted IKEv2 authentication messages to exposed VPN endpoints.

Because WatchGuard firewalls are typically deployed at network perimeters, successful exploitation enables attackers to bypass perimeter defenses entirely, modify firewall rules, extract VPN credentials, and pivot into protected internal networks.

WatchGuard confirmed that this vulnerability has been actively exploited in real-world attacks since December 18, 2025.

Technical Root Cause

The vulnerability occurs during IKEv2 IKE_AUTH message processing, specifically when the iked daemon parses X.509 certificate chains supplied by a remote peer.

The implementation fails to correctly validate the length and count of certificates included in the CERT payload. When an attacker submits an oversized certificate chain, the daemon writes data beyond the bounds of a fixed-size memory buffer. This out-of-bounds write corrupts adjacent memory and allows attackers to redirect execution flow.

Key contributing factors:

  • Missing bounds checks on certificate chain length
  • Fixed-size buffers used for variable-length certificate data
  • Pre-authentication attack surface exposed on UDP ports 500 and 4500

The flaw affects both Mobile VPN and Branch Office VPN configurations using IKEv2, including dynamic and static gateway scenarios.

Exploitation Mechanics (How the Attack Works)

1. Target Identification

Attackers scan for WatchGuard Firebox appliances with IKE services exposed:

  • UDP 500 (IKE)
  • UDP 4500 (NAT Traversal)

2. Malicious IKE_AUTH Message

A crafted IKE_AUTH request is sent containing an abnormally large CERT payload, violating protocol expectations but accepted by the vulnerable daemon.

Typical exploit characteristics include:

  • Certificate chains larger than 2000 bytes
  • More than 8 certificates in the chain
  • Otherwise valid IKE payload structure to avoid early rejection

3. Buffer Overflow Trigger

During parsing, the iked process copies the certificate chain into a fixed-size buffer without verifying length. Excess data overwrites adjacent memory structures.

4. Code Execution

By carefully shaping the overflow data, attackers overwrite execution control elements such as function pointers or return addresses. When the daemon continues execution, control is redirected to attacker-supplied shellcode embedded within the payload.

5. Post-Exploitation Activity

With system-level privileges, attackers can:

  • Install backdoors
  • Modify firewall and NAT rules
  • Extract VPN credentials, certificates, and keys
  • Establish persistent access
  • Pivot into internal networks

Exploitation Payload Characteristics

No public exploit code has been released, but analysis of observed attacks shows consistent payload patterns.

Malicious IKE_AUTH Structure (Observed):

IKE_AUTH request containing:
- IDi: 21 bytes (normal)
- CERT: >2000 bytes (overflow trigger)
- Certificate count: >8
- SA: 44 bytes
- TSi: 24 bytes
- TSr: 24 bytes
- Notify: 8 bytes

The oversized CERT payload contains both overflow data and embedded shellcode designed to survive memory corruption.

Known Threat Actor Infrastructure

Confirmed IP addresses associated with active exploitation:

  • 199.247.7[.]82 (primary, high confidence)
  • 45.95.19[.]50
  • 51.15.17[.]89
  • 172.93.107[.]67

The infrastructure overlaps with recent Fortinet exploitation campaigns (CVE-2025-59718 / CVE-2025-59719), indicating coordinated or shared tooling across firewall platforms.

Detection and Indicators of Compromise

Network-Level Indicators

  • Inbound IKE traffic from the IPs listed above
  • Repeated IKE_AUTH attempts with varying CERT sizes
  • Rapid sequential IKE negotiations from a single source

Log-Based Indicators

Medium Confidence (Default Logging):

iked[PID]: Received peer certificate chain is longer than 8. Reject this certificate chain

High Confidence (Info-Level Logging):

iked "IKE_AUTH request" message has 6 payloads
[ IDi(sz=21) CERT(sz=3000) SA(sz=44) TSi(sz=24) TSr(sz=24) N(sz=8) ]

Any CERT payload exceeding 2000 bytes should be treated as a likely exploitation attempt.

Behavioral Indicators

  • IKED process hang (strong indicator): new VPN tunnels fail while existing tunnels remain active
  • IKED process crash (weak indicator alone): fault reports generated after malformed traffic
  • Unexplained outbound connections from the firewall itself

Affected Versions and Fixed Releases

Vulnerable Versions

  • Fireware OS 11.10.2 – 11.12.4_Update1 (End-of-Life, no patch)
  • Fireware OS 12.0 – 12.11.5
  • Fireware OS 12.5.x (T15 / T35 models)
  • Fireware OS 12.3.1 FIPS-certified
  • Fireware OS 2025.1 – 2025.1.3

Fixed Versions

  • 12.11.6
  • 12.5.15
  • 12.3.1_Update4 (B728352)
  • 2025.1.4

Critical Configuration Note

Firewalls remain vulnerable even after deleting Mobile VPN or dynamic gateway configurations if any Branch Office VPN to static gateways remains enabled. The vulnerable code path persists in memory as long as IKEv2 services are active.

Immediate Mitigation and Response Guidance

Priority 1 – Patch Immediately

Apply the appropriate update from the official WatchGuard advisory:
https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00027

Priority 2 – Temporary Mitigation (If Patching Is Delayed)

  • Disable all IKEv2 VPN services
  • Switch to:
    • SSL VPN
    • IKEv1 IPSec
    • Temporary alternative VPN solutions

Priority 3 – Restrict Exposure

  • Limit UDP 500/4500 access to trusted IP ranges
  • Block known attacker IPs
  • Enable geo-blocking if operationally feasible

Priority 4 – Assume Breach if Exploitation Is Suspected

After patching, rotate all locally stored secrets, including:

  • VPN pre-shared keys
  • Certificates and private keys
  • RADIUS/LDAP secrets
  • Administrative credentials
  • API tokens

Attackers may have extracted credentials during exploitation.

End-of-Life Devices (Fireware OS 11.x)

No security patches are available. Continued operation of exposed devices presents severe risk. Organizations should:

  • Upgrade to a supported Fireware OS version
  • Replace unsupported hardware
  • Or remove the device from service

Final Risk Takeaway

CVE-2025-14733 represents a worst-case perimeter vulnerability:

  • Pre-authentication
  • Remote code execution
  • Active exploitation
  • Firewall-level impact

Organizations running WatchGuard Fireware OS with IKEv2 exposed should treat this issue as incident-level, not routine patching.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.