The resolved versions are 2025.1.4, 12.11.6, 12.5.15 (T15 & T35 models), and 12.3.1_Update4 (B728352) for the FIPS-certified release. There is no fix for 11.x, which is considered end of life.
Importantly, WatchGuard warned, patching may not be enough: “If the Firebox was previously configured with the mobile user VPN with IKEv2 or a branch office VPN using IKEv2 to a dynamic gateway peer, and both of those configurations have since been deleted, that Firebox may still be vulnerable if a branch office VPN to a static gateway peer is still configured.”
And some admins have even more post-patching tasks to perform, it said, noting, “in addition to installing the latest Fireware OS that contains the fix, administrators that have confirmed threat actor activity on their Firebox appliances must take precautions to rotate all locally stored secrets on vulnerable Firebox appliances.”
Deja vu
In September, WatchGuard patched a similar Firebox vulnerability, CVE-2025-9242, also affecting the iked VPN configuration and given a CVSS score of 9.3. At the time, WatchGuard said there were no reports of active exploitation, but by October, the company had revised this assessment after exploitation attempts were detected.
This is a reminder not to read initial vulnerability assessments for this type of infrastructure too optimistically — exploitation is frequently detected after a flaw has been made public. Firewalls and VPNs are major targets for cybercriminals, and every significant vulnerability in them represents a clear and present cyber security risk.
Unfortunately, the evidence shows that some WatchGuard customers don’t patch vulnerabilities as quickly as they should. In October, a scan by The Shadowserver Foundation found that over 71,000 Firebox appliances had not yet been patched for CVE-2025-9242, including 23,000 in the US. Despite its zero-day status, it’s likely to be a similar story for CVE-2025-14733.
