WatchGuard has disclosed a critical remote code execution (RCE) vulnerability affecting Firebox firewall appliances running the Fireware operating system. The vulnerability, tracked as CVE-2025-14733, is being actively exploited in the wild shortly after public disclosure.
According to WatchGuard and multiple security researchers, threat actors are targeting internet-facing Firebox devices to achieve unauthenticated remote command execution, potentially leading to full firewall compromise and downstream network access.
Impact
If successfully exploited, CVE-2025-14733 allows an unauthenticated attacker to execute arbitrary commands on the affected firewall appliance. Given the role of Firebox devices as network perimeter controls, exploitation presents a high-impact risk scenario.
A compromised firewall may allow attackers to tamper with security policies, deploy additional malicious tooling, establish persistence, or use the device as a pivot point for lateral movement into internal networks.
Affected Technologies
This vulnerability impacts WatchGuard Firebox appliances running vulnerable versions of the Fireware operating system. Devices exposed to the internet are considered at highest risk.
Affected versions include:
- Fireware OS versions 11.10.2 up to and including 11.12.4_Update1
- Fireware OS versions 12.0 up to and including 12.11.5
- Fireware OS versions 2025.1 up to and including 2025.1.3
WatchGuard has released patched versions to address the issue.
Mitigation Guidance
Organizations using WatchGuard Firebox appliances should apply vendor-provided security updates immediately. Management interfaces should be restricted to trusted IP ranges, and firewall logs should be reviewed for signs of unauthorized access or abnormal activity.
If compromise is suspected, affected devices should be isolated, credentials rotated, and incident response procedures initiated without delay.
Stay Safe. Stay Secure
OP Innovate Research Team
