What happened

CISA added CVE-2025-14733 to the Known Exploited Vulnerabilities (KEV) catalog, signaling confirmed in-the-wild abuse of this bug against real targets CISA KEV. The flaw is an out-of-bounds write in the WatchGuard Fireware OS IKE daemon (iked) on Firebox appliances, enabling remote unauthenticated code execution in certain IKEv2 configurations NVD entry. MITRE tracks the issue under CVE-2025-14733 with the same impact characterization and affected product family MITRE CVE record.

CISA’s listing ties the vulnerability to active exploitation and mandates remediation under federal deadlines (added 2025-12-19; due 2025-12-26 for FCEB) CISA KEV. The NVD record attributes the flaw to a memory safety error (CWE-787) within the IKE daemon logic path handling NVD entry.

Why it matters

When a firewall/VPN edge service is vulnerable pre-auth, exploitation scales fast and remote operators can pivot into internal networks without user interaction CISA KEV. CISA’s KEV inclusion is the highest signal that exploitation is occurring now, not hypothetically, requiring accelerated patch/mitigation and threat hunting on internet-exposed devices CISA KEV. NVD’s classification as an out-of-bounds write tied to the IKE daemon aligns with typical exploit chains that achieve code execution in privileged network daemons NVD entry.

For WatchGuard Firebox deployments that terminate IKEv2 tunnels, a single exposed interface may suffice for exploitation attempts if the vulnerable iked code path is reachable by unauthenticated traffic MITRE CVE record. Organizations relying on these devices for branch or remote access connectivity inherit material blast radius from a daemon-level RCE on the control-plane NVD entry.

Technical detail

CVE-2025-14733 is a memory corruption bug categorized as CWE-787 (out-of-bounds write) in the Fireware OS iked process NVD entry. The vulnerable surface is associated with IKEv2 handling on WatchGuard Firebox, implicating configurations where the IKE daemon processes unauthenticated negotiation messages MITRE CVE record. According to public vulnerability records, successful exploitation can lead to arbitrary code execution by a remote, unauthenticated attacker when the vulnerable path is exposed NVD entry.

CISA’s KEV status means the vulnerability has been observed exploited in the wild, pushing it from theoretical risk to active operations tradecraft against edge devices CISA KEV. The product scope covers WatchGuard Firebox appliances running Fireware OS where iked is present to service IKEv2 VPN functions MITRE CVE record. The memory write primitive associated with CWE-787 is a common stepping stone to process takeover in low-level daemons, especially when input parsing occurs before authentication gates NVD entry.

Defense

CISA directs impacted organizations to apply mitigations per vendor guidance, follow BOD 22-01 for cloud services where applicable, or discontinue use if mitigations are unavailable CISA KEV. KEV inclusion also sets a remediation deadline for federal agencies (due 2025-12-26 for FCEB), which is a practical floor for urgency in the private sector as well CISA KEV.

Prioritize devices that are internet-accessible and terminate IKEv2 tunnels for immediate mitigation and compromise assessment MITRE CVE record. After applying fixes or interim mitigations, perform hunts for indicators of daemon compromise or persistence attempts on all exposed instances as flagged by the KEV advisory notes CISA KEV. Maintain an authoritative inventory of WatchGuard Firebox assets mapped to IKEv2 use so you can verify patch coverage against the NVD-listed CVE identifier NVD entry.

If operational constraints delay full remediation, reduce exposure by limiting unauthenticated reachability to the vulnerable IKEv2 service path where possible, and monitor for anomalous behavior tied to iked restarts or crashes suggestive of memory corruption attempts NVD entry. Treat any unexplained control-plane instability on Firebox devices during this window as potentially related until proven otherwise MITRE CVE record.

Lyrie Verdict

This is a pre-auth edge-service RCE in a widely deployed firewall/VPN platform, already weaponized per CISA KEV, which means bot-driven exploitation at Internet scale is the baseline threat model CISA KEV. Lyrie treats KEV-listed perimeter bugs as machine-speed incidents: we auto-prioritize assets running vulnerable IKEv2 endpoints, flag anomalous IKE negotiation patterns and daemon fault signals, and enforce rapid containment policies to cut lateral movement on compromise attempts NVD entry. For rogue-AI-enabled adversaries chaining reconnaissance and exploitation across fleets, only autonomous detection and response on the control-plane buys back time; we wire this CVE into our detectors and response playbooks so decisions execute faster than the exploit loop MITRE CVE record.