Security Advisories

WatchGuard Firebox iked Out of Bounds Write Vulnerability

WatchGuard — Fri, 19 Dec 2025 00:00:10 +0000

WatchGuard Firebox iked Out of Bounds Write Vulnerability

Advisory ID

WGSA-2025-00027

WatchGuard Thu, 12/18/2025 - 16:00

CVE

CVE-2025-14733

Impact

Critical

Status

Resolved

Product Family

Firebox

Published Date

2025-12-18

Updated Date

2025-12-29

Workaround Available

False

CVSS Score

9.3

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Red

Summary

Updated 29 December 2025: Updated to add two additional IP addresses to the Indicators of Attack
Updated 23 December 2025: Updated with post-exploitation activity identified up to this point
Updated 19 December 2025: Updated to clarify the significance of outbound vs inbound connections involving the IP addresses listed under the Indicators of Attack
An Out-of-bounds Write vulnerability in the WatchGuard Fireware OS iked process may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer.
If the Firebox was previously configured with the mobile user VPN with IKEv2 or a branch office VPN using IKEv2 to a dynamic gateway peer, and both of those configurations have since been deleted, that Firebox may still be vulnerable if a branch office VPN to a static gateway peer is still configured.
WatchGuard has observed threat actors actively attempting to exploit this vulnerability in the wild.

Post-Exploit Activity

We have identified two variants of post-exploit activity targeting exposed Firebox appliances. In one variant, the threat actor encrypts and then exfiltrates the active configuration file from the Firebox to the same IP address that the attack originates from. In the second variant, the threat actor creates a gzip archive with both the active configuration file and the local management user database and exfiltrates the archive to the same IP address that the attack originates from. In all instances where a successful exploit is suspected, Firebox administrators should follow the remediation guidance described below and rotate all secrets stored on the Firebox.

Indicators of Attack

We are providing the following Indicators of Attack (IoAs) to help device owners identify potential attempts to exploit this vulnerability against vulnerable Firebox appliances. These IoAs are only applicable on devices that lack the resolution described later in this advisory.

IP Addresses

The following IP addresses are directly associated with known threat actor activity. Outbound connections to these IPs are a strong indicator of compromise. Inbound connections from these IPs could indicate reconnaissance efforts or exploit attempts.

45.95.19[.]50
51.15.17[.]89
172.93.107[.]67
199.247.7[.]82
38.252.8[.]14 - Added Dec 29
94.249.197[.]106 - Added Dec 29

Logs

Invalid peer certificate chain

With the iked diagnostic logging set to the default error logging level, the iked process generates a log message when the Firebox receives an IKE2 Auth payload with more than 8 certificates. This is a medium indicator of attack that the WatchGuard Threat Lab has observed associated with some threat actor activity.
1970-01-01 01:00:00 2025 Firebox-Name local3.err iked[2938]: (203.0.113.1<->203.0.113.2) Received peer certificate chain is longer than 8. Reject this certificate chain

Abnormally large IKE_AUTH request CERT payload

With the iked diagnostic logging set to the info logging level, the iked process generates a log message when the Firebox receives an IKE_AUTH request message. An IKE_AUTH request log message with an abnormally large CERT payload size (greater than 2000 bytes) is a strong indicator of an attack. This is a strong indicator of attack.
1970-01-01 01:00:00 iked (203.0.113.1<->203.0.113.2)"IKE_AUTH request" message has 6 payloads [ IDi(sz=21) CERT(sz=3000) SA(sz=44) TSi(sz=24) TSr(sz=24) N(sz=8)]

Device Behavior

IKE process hang

During a successful exploit, the IKED process (responsible for handling IKE negotiations) will hang, interrupting VPN tunnel negotiations and re-keys. This is a strong indicator of attack. Existing tunnels may continue to pass traffic.

IKE process crash

After a failed or successful exploit, the IKED process will crash and generate a fault report on the Firebox. Be aware, there are other situations that could cause the IKED process to crash. This is a weak indicator of attack.

Affected

This vulnerability affects Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.5 and 2025.1 up to and including 2025.1.3.

Resolution

Vulnerable Version	Resolved Version
2025.1	2025.1.4
12.x	12.11.6
12.5.x (T15 & T35 models)	12.5.15
12.3.1 (FIPS-certified release)	12.3.1_Update4 (B728352)
11.x	End of Life

In addition to installing the latest Fireware OS that contains the fix, administrators that have confirmed threat actor activity on their Firebox appliances must take precautions to rotate all locally stored secrets on vulnerable Firebox appliances as described in our Best Practices to Rotate Shared Secrets Stored on the Firebox knowledge base article.

Workaround

If your Firebox is only configured with Branch Office VPN tunnels to static gateway peers and you are not able to immediately upgrade the device to a version of Fireware OS with the vulnerability resolution, you can follow WatchGuard’s recommendations for Secure Access to Branch Office VPNs that Use IPSec and IKEv2 as a temporary workaround.

Advisory Product List

Product Family	Product Branch	Product List
Firebox	Fireware OS 12.5.x	T15, T35
Firebox	Fireware OS 2025.1.x	T115-W, T125, T125-W, T145, T145-W, T185, M295, M395, M495, M595, M695
Firebox	Fireware OS 12.x	T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV

WatchGuard Firebox Boot Time System Integrity Check Bypass

WatchGuard — Thu, 04 Dec 2025 21:40:08 +0000

WatchGuard Firebox Boot Time System Integrity Check Bypass

Advisory ID

WGSA-2025-00026

WatchGuard Thu, 12/04/2025 - 13:40

CVE

CVE-2025-13940

Impact

Medium

Status

Resolved

Product Family

Firebox

Published Date

2025-12-04

Updated Date

2025-12-29

Workaround Available

False

CVSS Score

6.7

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Summary

An Expected Behavior Violation [CWE-440] vulnerability in WatchGuard Fireware OS may allow an attacker to bypass the Fireware OS boot time system integrity check and prevent the Firebox from shutting down in the event of a system integrity check failure. The on-demand system integrity check in the Fireware Web UI will correctly show a failed system integrity check message in the event of a failure.

Affected

This issue affects Fireware OS: from 12.8.1 through 12.11.4, from 2025.1 through 2025.1.2.

Resolution

Vulnerable Version	Resolved Version
2025.1	2025.1.3
12.x	12.11.5

Advisory Product List

Product Family	Product Branch	Product List
Firebox	Fireware OS 2025.1.x	T115-W, T125, T125-W, T145, T145-W, T185, M295, M395, M495, M595, M695
Firebox	Fireware OS 12.x	T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV

WatchGuard Firebox iked Memory Corruption Vulnerability

WatchGuard — Thu, 04 Dec 2025 21:40:08 +0000

WatchGuard Firebox iked Memory Corruption Vulnerability

Advisory ID

WGSA-2025-00018

WatchGuard Thu, 12/04/2025 - 13:40

CVE

CVE-2025-11838

Impact

High

Status

Resolved

Product Family

Firebox

Published Date

2025-12-04

Updated Date

2025-12-29

Workaround Available

False

CVSS Score

8.7

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Summary

Updated December 15 2025: Narrowed the scope of affected FirewareOS versions.
A memory corruption vulnerability in WatchGuard Fireware OS may allow an unauthenticated attacker to trigger a Denial of Service (DoS) condition in the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer.

Affected

This vulnerability affects Fireware OS 12.6.1 up to and including 12.11.4 and 2025.1 up to and including 2025.1.2.

Resolution

Vulnerable Version	Resolved Version
2025.1	2025.1.3
12.x	12.11.5

Credits

McCaulay Hudson (@_McCaulay) of watchTowr

Advisory Product List

Product Family	Product Branch	Product List
Firebox	Fireware OS 2025.1.x	T115-W, T125, T125-W, T145, T145-W, T185, M295, M395, M495, M595, M695
Firebox	Fireware OS 12.x	T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV

WatchGuard Firebox Authenticated Out of Bounds Write in Management CLI IPSec Configuration

WatchGuard — Thu, 04 Dec 2025 21:40:08 +0000

WatchGuard Firebox Authenticated Out of Bounds Write in Management CLI IPSec Configuration

Advisory ID

WGSA-2025-00019

WatchGuard Thu, 12/04/2025 - 13:40

CVE

CVE-2025-12195

Impact

High

Status

Resolved

Product Family

Firebox

Published Date

2025-12-04

Updated Date

2025-12-29

Workaround Available

False

CVSS Score

8.6

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

An Out-of-bounds Write vulnerability in WatchGuard Fireware OS's CLI could allow an authenticated privileged user to execute arbitrary code via specially crafted IPSec configuration CLI commands.

Affected

This vulnerability affects Fireware OS 11.0 up to and including 11.12.4+541730, 12.0 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2.

Resolution

Vulnerable Version	Resolved Version
2025.1	2025.1.3
12.x	12.11.5
12.5.x (T15 & T35 models)	12.5.14
11.x	End of Life

Credits

Cody Sixteen

Advisory Product List

Product Family	Product Branch	Product List
Firebox	Fireware OS 12.5.x	T15, T35
Firebox	Fireware OS 2025.1.x	T115-W, T125, T125-W, T145, T145-W, T185, M295, M395, M495, M595, M695
Firebox	Fireware OS 12.x	T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV

WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in ConnectWise Technology Integration Configuration

WatchGuard — Thu, 04 Dec 2025 21:40:08 +0000

WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in ConnectWise Technology Integration Configuration

Advisory ID

WGSA-2025-00022

WatchGuard Thu, 12/04/2025 - 13:40

CVE

CVE-2025-13937

Impact

Medium

Status

Resolved

Product Family

Firebox

Published Date

2025-12-04

Updated Date

2025-12-29

Workaround Available

False

CVSS Score

4.8

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Summary

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS (ConnectWise Technology Integration module) allows Stored XSS.

Affected

This vulnerability affects Fireware OS 12.4 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2.

Resolution

Vulnerable Version	Resolved Version
2025.1	2025.1.3
12.x	12.11.5
12.5.x (T15 & T35 models)	12.5.14

Credits

https://www.linkedin.com/in/simonepaganessi

Advisory Product List

Product Family	Product Branch	Product List
Firebox	Fireware OS 12.5.x	T15, T35
Firebox	Fireware OS 2025.1.x	T115-W, T125, T125-W, T145, T145-W, T185, M295, M395, M495, M595, M695
Firebox	Fireware OS 12.x	T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV

WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in Tigerpaw Technology Integration Configuration

WatchGuard — Thu, 04 Dec 2025 21:40:08 +0000

WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in Tigerpaw Technology Integration Configuration

Advisory ID

WGSA-2025-00021

WatchGuard Thu, 12/04/2025 - 13:40

CVE

CVE-2025-13936

Impact

Medium

Status

Resolved

Product Family

Firebox

Published Date

2025-12-04

Updated Date

2025-12-29

Workaround Available

False

CVSS Score

4.8

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Summary

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS (Tigerpaw Technology Integration module) allows Stored XSS.

Affected

This vulnerability affects Fireware OS 12.4 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2.

Resolution

Vulnerable Version	Resolved Version
2025.1	2025.1.3
12.x	12.11.5
12.5.x (T15 & T35 models)	12.5.14

Credits

https://www.linkedin.com/in/simonepaganessi

Advisory Product List

Product Family	Product Branch	Product List
Firebox	Fireware OS 12.5.x	T15, T35
Firebox	Fireware OS 2025.1.x	T115-W, T125, T125-W, T145, T145-W, T185, M295, M395, M495, M595, M695
Firebox	Fireware OS 12.x	T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV

WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in Autotask Technology Integration Configuration

WatchGuard — Thu, 04 Dec 2025 21:40:08 +0000

WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in Autotask Technology Integration Configuration

Advisory ID

WGSA-2025-00023

WatchGuard Thu, 12/04/2025 - 13:40

CVE

CVE-2025-13938

Impact

Medium

Status

Resolved

Product Family

Firebox

Published Date

2025-12-04

Updated Date

2025-12-29

Workaround Available

False

CVSS Score

4.8

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Summary

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS (Autotask Technology Integration module) allows Stored XSS.

Affected

This vulnerability affects Fireware OS 12.4 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2.

Resolution

Vulnerable Version	Resolved Version
2025.1	2025.1.3
12.x	12.11.5
12.5.x (T15 & T35 models)	12.5.14

Credits

https://www.linkedin.com/in/simonepaganessi

Advisory Product List

Product Family	Product Branch	Product List
Firebox	Fireware OS 12.5.x	T15, T35
Firebox	Fireware OS 2025.1.x	T115-W, T125, T125-W, T145, T145-W, T185, M295, M395, M495, M595, M695
Firebox	Fireware OS 12.x	T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV

WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in Gateway Wireless Controller

WatchGuard — Thu, 04 Dec 2025 21:40:08 +0000

WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in Gateway Wireless Controller

Advisory ID

WGSA-2025-00024

WatchGuard Thu, 12/04/2025 - 13:40

CVE

CVE-2025-13939

Impact

Medium

Status

Resolved

Product Family

Firebox

Published Date

2025-12-04

Updated Date

2025-12-29

Workaround Available

False

CVSS Score

4.8

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Summary

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS (Gateway Wireless Controller module) allows Stored XSS.

Affected

This issue affects Fireware OS 11.7.2 up to and including 11.12.4+541730, 12.0 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2.

Resolution

Vulnerable Version	Resolved Version
2025.1	2025.1.3
12.x	12.11.5
12.5.x (T15 & T35 models)	12.5.14
11.x	End of Life

Credits

https://www.linkedin.com/in/simonepaganessi

Advisory Product List

Product Family	Product Branch	Product List
Firebox	Fireware OS 12.5.x	T15, T35
Firebox	Fireware OS 2025.1.x	T115-W, T125, T125-W, T145, T145-W, T185, M295, M395, M495, M595, M695
Firebox	Fireware OS 12.x	T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV

WatchGuard Firebox Authenticated Out of Bounds Write in certd

WatchGuard — Thu, 04 Dec 2025 21:40:08 +0000

WatchGuard Firebox Authenticated Out of Bounds Write in certd

Advisory ID

WGSA-2025-00017

WatchGuard Thu, 12/04/2025 - 13:40

CVE

CVE-2025-12026

Impact

High

Status

Resolved

Product Family

Firebox

Published Date

2025-12-04

Updated Date

2025-12-29

Workaround Available

False

CVSS Score

8.6

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

An Out-of-bounds Write vulnerability in WatchGuard Fireware OS’s certificate request command could allow an authenticated privileged user to execute arbitrary code via specially crafted CLI commands.

Affected

This vulnerability affects Fireware OS 12.0 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2.

Resolution

Vulnerable Version	Resolved Version
2025.1	2025.1.3
12.x	12.11.5
12.5.x (T15 & T35 models)	12.5.14

Credits

Cody Sixteen

Advisory Product List

Product Family	Product Branch	Product List
Firebox	Fireware OS 12.5.x	T15, T35
Firebox	Fireware OS 2025.1.x	T115-W, T125, T125-W, T145, T145-W, T185, M295, M395, M495, M595, M695
Firebox	Fireware OS 12.x	T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV

WatchGuard Firebox Authenticated Out of Bounds Write in Management CLI Ping Command

WatchGuard — Thu, 04 Dec 2025 21:40:08 +0000

WatchGuard Firebox Authenticated Out of Bounds Write in Management CLI Ping Command

Advisory ID

WGSA-2025-00020

WatchGuard Thu, 12/04/2025 - 13:40

CVE

CVE-2025-12196

Impact

High

Status

Resolved

Product Family

Firebox

Published Date

2025-12-04

Updated Date

2025-12-29

Workaround Available

False

CVSS Score

8.6

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

An Out-of-bounds Write vulnerability in WatchGuard Fireware OS's CLI could allow an authenticated privileged user to execute arbitrary code via a specially crafted CLI command.

Affected

This vulnerability affects Fireware OS 12.0 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2.

Resolution

Vulnerable Version	Resolved Version
2025.1	2025.1.3
12.x	12.11.5
12.5.x (T15 & T35 models)	12.5.14

Credits

btaol

Advisory Product List

Product Family	Product Branch	Product List
Firebox	Fireware OS 12.5.x	T15, T35
Firebox	Fireware OS 2025.1.x	T115-W, T125, T125-W, T145, T145-W, T185, M295, M395, M495, M595, M695
Firebox	Fireware OS 12.x	T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV