WatchGuard CVE-2025-14733 Update
Summary:
Members, we continue to monitor CVE-2025-14733 and it’s active exploitation. At this time, no formal attribution has been attributed to any specific adversaries targeting these devices, but there is some evidence that the activity is part of a larger, multi-vendor campaign targeting edge networking equipment.
The attackers behind the active exploitation are likely initial access brokers (IABs) or state-sponsored actors who specialize in compromising firewalls and VPNs to gain a permanent foothold in corporate networks.
Security Officer Comments:
While not definitively linked to the current December zero-day yet, security researchers have noted that these specific types of "IKEv2 daemon" exploits are a signature of certain high-level threat groups.
Once they gain code execution, they typically attempt to extract locally stored secrets (like VPN shared keys) or create a persistent shell to move laterally into the internal network.
Because this is a pre-authentication exploit, the attacker does not need a username or password to take over the firewall. If your device is reachable via the public internet on UDP ports 500 or 4500 and is running an unpatched version, it is at high risk.
Suggested Corrections:
To check for exploitation attempts of CVE-2025-14733, you should focus your searches on Event and Diagnostic logs. WatchGuard has noted that while some indicators appear in standard logs, others require the Diagnostic Logging Level for "IKE" to be set to Information (the default is often "Error").
Search Queries for WatchGuard DimensionIn Dimension, navigate to Log Search for your device and use the following "Any of these words" text searches:
https://www.helpnetsecurity.com/2025/12/22/watchguard-firebox-vulnerability-cve-2025-14733
Members, we continue to monitor CVE-2025-14733 and it’s active exploitation. At this time, no formal attribution has been attributed to any specific adversaries targeting these devices, but there is some evidence that the activity is part of a larger, multi-vendor campaign targeting edge networking equipment.
The attackers behind the active exploitation are likely initial access brokers (IABs) or state-sponsored actors who specialize in compromising firewalls and VPNs to gain a permanent foothold in corporate networks.
Security Officer Comments:
While not definitively linked to the current December zero-day yet, security researchers have noted that these specific types of "IKEv2 daemon" exploits are a signature of certain high-level threat groups.
- Sandworm (Russian GRU): Historically, Sandworm has been the most prolific hunter of WatchGuard vulnerabilities. In previous years (and as recently as late 2024), they built specialized botnets (like Cyclops Blink) specifically by exploiting unpatched Firebox appliances.
- Lazarus Group (North Korea): This group has recently shifted focus toward "pre-authentication" RCEs in security appliances to bypass multi-factor authentication (MFA) and steal crypto-assets or sensitive data.
Once they gain code execution, they typically attempt to extract locally stored secrets (like VPN shared keys) or create a persistent shell to move laterally into the internal network.
Because this is a pre-authentication exploit, the attacker does not need a username or password to take over the firewall. If your device is reachable via the public internet on UDP ports 500 or 4500 and is running an unpatched version, it is at high risk.
Suggested Corrections:
To check for exploitation attempts of CVE-2025-14733, you should focus your searches on Event and Diagnostic logs. WatchGuard has noted that while some indicators appear in standard logs, others require the Diagnostic Logging Level for "IKE" to be set to Information (the default is often "Error").
Search Queries for WatchGuard DimensionIn Dimension, navigate to Log Search for your device and use the following "Any of these words" text searches:
- Search for Specific Exploit Payloads
- Run these searches under the Event or All log categories:
- Query: Received peer certificate chain is longer than 8
- Shows an attacker sending too many certificates to overflow the buffer.
- Query: iked request message has
- Once results appear, look for CERT(sz=XXXX) where the size is greater than 2000. This is a very strong indicator of an RCE attempt.
- Query: Received peer certificate chain is longer than 8
- Search the Traffic logs for the known attacker IPs:
- Query: 199.247.7[.]82 OR 45.95.19[.]50 OR 51.15.17[.]89 OR 172.93.107[.]67
- For the certificate chain overflow: msg:Received peer certificate chain is longer than 8
- For large IKE_AUTH payloads: msg:IKE_AUTH request (Note: You will then need to scan the results for sz= values over 2000).
- For the known attacker IPs: src_ip:199.247.7[.]82 OR src_ip:45.95.19[.]50 OR src_ip:51.15.17[.]89 OR src_ip:172.93.107[.]67
- In Fireware Web UI: Go to System Status > Diagnostics.
- Fault Reports: Look for any reports mentioning iked or IKED.
- Timing: If you see a crash report that coincides with traffic from the malicious IPs listed above, assume the device is compromised.
- Go to Log Configuration > Diagnostic Log Level.
- Set VPN > IKE to Information.
- Warning: This will increase log volume, so only leave it on for 24–48 hours while you investigate.
https://www.helpnetsecurity.com/2025/12/22/watchguard-firebox-vulnerability-cve-2025-14733