CVE-2025-14733

CriticalCISA KEVActive Exploitation

Published: 19 December 2025

Published

19 December 2025

Modified

23 December 2025

KEV Added

19 December 2025

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.2776 96.5th percentile

Risk Priority 56 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-14733 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Watchguard Fireware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the out-of-bounds write vulnerability in affected Fireware OS versions by requiring timely identification, testing, and deployment of vendor patches.

SI-16 Memory Protection partial match

prevent

Provides memory safeguards such as address space randomization and non-executable stacks that mitigate exploitation of the out-of-bounds write leading to arbitrary code execution.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Enables automated vulnerability scanning to identify systems running vulnerable Fireware OS versions exposed to CVE-2025-14733 via IKEv2.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows remote unauthenticated arbitrary code execution on a public-facing VPN gateway via IKEv2, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic…

gateway peer.This vulnerability affects Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.5 and 2025.1 up to and including 2025.1.3.

Deeper analysisAI

CVE-2025-14733 is an out-of-bounds write vulnerability (CWE-787) in WatchGuard Fireware OS that may allow a remote unauthenticated attacker to execute arbitrary code. It affects the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer. The vulnerability impacts Fireware OS versions 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.5, and 2025.1 up to and including 2025.1.3. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting critical severity due to high confidentiality, integrity, and availability impacts.

A remote unauthenticated attacker can exploit this vulnerability over the network with low complexity, no privileges, and no user interaction required. Successful exploitation enables arbitrary code execution on the affected Fireware OS device, potentially leading to full compromise of the VPN gateway.

Mitigation guidance is available in the WatchGuard PSIRT advisory at https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00027. The vulnerability is also listed in the CISA Known Exploited Vulnerabilities Catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-14733.

Published on 2025-12-19, CVE-2025-14733's presence in the CISA KEV catalog indicates real-world exploitation.