Patch now! In Germany, 11,000 WatchGuard firewalls are still vulnerable

Attackers are currently targeting WatchGuard Firebox and compromising devices. Security patches are available but have apparently not yet been installed comprehensively. Admins should act immediately to prevent attackers from gaining access to company networks.

Dangerous Vulnerability

Security researchers from Shadowserver show in a graph from last Sunday that more than 117,000 instances worldwide are still vulnerable. The "critical" security vulnerability (CVE-2025-14733) is in the Fireware OS and affects Firebox firewalls. These are vulnerable if Mobile User VPN with IKEv2 and Branch Office VPN with IKEv2 is configured with a dynamic gateway peer. The vulnerability has been known for a few days.

Attacks are said to be possible remotely and without authentication. Attackers then execute malicious code and take control. The extent to which the attacks are occurring is currently unknown. With more than 57,000 unpatched instances so far, the majority are in Europe. According to a graph from Shadowserver, there are more than 11,000 firewalls in Germany.

To secure devices, admins must install Fireware OS 12.3.1_Update4 (B728352), 12.5.15, 12.11.6 or 2025.1.4. If this is not immediately possible, admins must temporarily protect their networks via a workaround. How to do this is explained by WatchGuard in a post.

In a warning message, the manufacturer lists various parameters such as IP addresses and certain log entries with which admins can identify already attacked firewalls. This post also provides further information on the vulnerability and affected models.

(des)