Patch now! Attackers push malware onto WatchGuard Firebox

Due to ongoing attacks, administrators should update their WatchGuard Firebox firewalls to the latest version. Attackers are executing malware.

Background

In a security advisory, the developers state that the “critical” vulnerability (CVE-2025-14733) in Fireware OS affects the following configurations: Mobile User VPN with IKEv2 and Branch Office VPN with IKEv2 when configured with a dynamic gateway peer.

If this is the case, remote attacks without authentication are possible. If attackers successfully exploit the vulnerability, memory errors (out-of-bounds) occur, and malware is loaded onto systems.

The extent and exact nature of such attacks are currently unknown. It is also unclear what attackers are specifically doing. However, given the critical classification, it can be assumed that attackers can fully compromise devices after executing malware.

To help administrators identify already attacked instances, WatchGuard lists various parameters (Indicators of Compromise, IoC) such as IP addresses in the security advisory. There are also specific clues in log files. Furthermore, VPN connections experience errors after successful attacks.

Countermeasures

To protect firewalls and networks, administrators must quickly install Fireware OS 12.3.1_Update4 (B728352), 12.5.15, 12.11.6, or 2025.1.4. Support for the 11.x version series has expired, and there are no more security patches. An upgrade is necessary at this point.

If administrators cannot install the secured versions directly, they must temporarily secure devices via a workaround.

(des)