Cyber Resilience

CVE-2025-14733

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 19 December 2025

Published
19 December 2025
Modified
23 December 2025
KEV Added
19 December 2025
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Red
EPSS Score 0.1747 96.7th percentile
Risk Priority 49 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-14733 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Watchguard Fireware. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2025-14733 is an out-of-bounds write vulnerability (CWE-787) in WatchGuard Fireware OS that may allow a remote unauthenticated attacker to execute arbitrary code. It affects the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer. The vulnerability impacts Fireware OS versions 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.5, and 2025.1 up to and including 2025.1.3. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting critical severity due to high confidentiality, integrity, and availability impacts.

A remote unauthenticated attacker can exploit this vulnerability over the network with low complexity, no privileges, and no user interaction required. Successful exploitation enables arbitrary code execution on the affected Fireware OS device, potentially leading to full compromise of the VPN gateway.

Mitigation guidance is available in the WatchGuard PSIRT advisory at https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00027. The vulnerability is also listed in the CISA Known Exploited Vulnerabilities Catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-14733.

Published on 2025-12-19, CVE-2025-14733's presence in the CISA KEV catalog indicates real-world exploitation.

EU & UK References

Vulnerability details

An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic…

more

gateway peer.This vulnerability affects Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.5 and 2025.1 up to and including 2025.1.3.

CWE(s)
KEV Date Added
19 December 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability allows remote unauthenticated arbitrary code execution on a public-facing VPN gateway via IKEv2, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-9242Same product: Watchguard Firebox M270both on KEV
CVE-2026-3342Same product: Watchguard Firebox M270
CVE-2025-0282Shared CWE-787both on KEV
CVE-2025-29031Shared CWE-787
CVE-2024-12248Shared CWE-787
CVE-2026-21897Shared CWE-787
CVE-2019-25614Shared CWE-787
CVE-2026-5435Shared CWE-787
CVE-2024-57579Shared CWE-787
CVE-2025-25742Shared CWE-787

Affected Assets

watchguard
fireware
11.10.2 — 12.5.15 · 11.10.2 — 12.11.6 · 2025.1 — 2025.1.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the out-of-bounds write vulnerability in affected Fireware OS versions by requiring timely identification, testing, and deployment of vendor patches.

prevent

Provides memory safeguards such as address space randomization and non-executable stacks that mitigate exploitation of the out-of-bounds write leading to arbitrary code execution.

detect

Enables automated vulnerability scanning to identify systems running vulnerable Fireware OS versions exposed to CVE-2025-14733 via IKEv2.

References