Number: AL25-020
Date: December 22, 2025
Audience
This Alert is intended for IT professionals and managers.
Purpose
An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.
Details
The Cyber Centre is aware of a critical WatchGuard Fireware OS Out-of-Bounds Write vulnerability affecting WatchGuard productsFootnote 1. In response to the vendor advisory released on December 18, 2025, the Cyber Centre issued AV25-850Footnote 2 on December 19, 2025.
CVE-2025-14733Footnote 3 is an Out-of-Bounds Write vulnerability (CWE-787)Footnote 4 within the iked (Internet Key Exchange Daemon) process used for IKEv2 VPN connections. This flaw could allow a remote, unauthenticated attacker to execute arbitrary code on vulnerable Firebox devices. The vulnerability impacts both Mobile User VPN with IKEv2 and Branch Office VPN configurations using IKEv2 when a dynamic gateway peer is enabled or was previously enabled.
Open-source reporting indicates that CVE-2025-14733 is being exploited.
On December 19, 2025, Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-14733 to their Known Exploited Vulnerabilities (KEV) DatabaseFootnote 5.
Suggested actions
The Cyber Centre recommends that organizations patch their WatchGuard Fireware OS to the following versions:
| Vulnerable version | Resolved version |
|---|---|
| 2025.1 | 2025.1.4 |
| 12.x | 12.11.6 |
| 12.5.x (T15 & T35 models) | 12.5.15 |
| 12.3.1 (FIPS-certified release) | 12.3.1_Update4 (B728352) |
| 11.x | End of Life |
The Cyber Centre strongly advises organizations to take the following actions:
- Immediately update Firebox appliances to the latest patched Fireware OS versions
- Review system logs and network traffic for any indicators of compromise (IOCs), as outlined in the vendor’s advisoryFootnote 1
- Implement temporary mitigations/workarounds if patching cannot be performed right away
- Rotate all credentials and secrets on vulnerable devices that may have been exposed
If patching is not feasible at this time, organizations should follow WatchGuard’s security advisoryFootnote 1, which includes the following temporary workaroundsFootnote 6:
- Disable dynamic peer Branch Office VPN (BOVPN) configurations
- Create aliases and apply new firewall policies to restrict exposure
- Disable default VPN policies to reduce attack surface
In addition, the Cyber Centre also strongly recommends that organizations review and implement the Cyber Centre’s Top 10 IT Security Actions with an emphasis on the following topicsFootnote 7:
- Patching operating systems and applications
- Segment and separate information
- Isolating Web-Facing applications
Should activity matching the content of this alert is discovered, recipients are encouraged to report via My Cyber Portal, or email contact@cyber.gc.ca.