CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Critical Out-of-Bounds Write Vulnerabilities in WatchGuard Firebox Firewalls Exploited in the Wild

First reported
Last updated
3 unique sources, 8 articles

Summary

Hide ▲

Over 115,000 WatchGuard Firebox network security appliances remain exposed to critical remote code execution flaws, including CVE-2025-9242 and the newly disclosed CVE-2025-14733. These vulnerabilities allow remote attackers to execute code without authentication. WatchGuard has released patches and provided temporary workarounds for administrators who cannot immediately update their devices. The vulnerabilities are actively being exploited in the wild, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-9242 to its Known Exploited Vulnerabilities (KEV) catalog on November 13, 2025, based on evidence of active exploitation. Federal Civilian Executive Branch (FCEB) agencies are advised to apply WatchGuard's patches by December 3, 2025. The Shadowserver Foundation detected over 71,000 vulnerable devices as of October 17, 2025. As of November 12, 2025, over 54,300 Firebox instances remain vulnerable, with the U.S. having the highest number of vulnerable devices at 18,500. On December 22, 2025, Shadowserver found over 124,658 unpatched Firebox instances exposed online, with 117,490 still exposed the following day. CISA added CVE-2025-14733 to its KEV Catalog and ordered FCEB agencies to patch Firebox firewalls within a week, by December 26th.

Timeline

  1. 22.12.2025 11:00 1 articles · 23h ago

    CISA adds CVE-2025-14733 to KEV catalog due to active exploitation

    CISA added CVE-2025-14733 to its Known Exploited Vulnerabilities (KEV) Catalog on the day after WatchGuard released patches. The U.S. cybersecurity agency also ordered Federal Civilian Executive Branch (FCEB) agencies to patch Firebox firewalls within a week, by December 26th, as mandated by the Binding Operational Directive (BOD) 22-01. This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

    Show sources
    Open in new tab
  2. 19.12.2025 12:25 2 articles · 3d ago

    WatchGuard warns of new critical RCE flaw in Firebox firewalls exploited in attacks

    WatchGuard has warned customers to patch a critical, actively exploited remote code execution (RCE) vulnerability (CVE-2025-14733) in its Firebox firewalls. This flaw affects firewalls running Fireware OS 11.x and later, 12.x or later, and 2025.1 up to and including 2025.1.3. The vulnerability is due to an out-of-bounds write weakness that enables unauthenticated attackers to execute malicious code remotely. WatchGuard has observed active exploitation in the wild and provided a temporary workaround for organizations that cannot immediately patch their devices. The company also shared indicators of compromise to help customers check for signs of malicious activity. On December 22, 2025, Shadowserver found over 124,658 unpatched Firebox instances exposed online, with 117,490 still exposed the following day. CISA added CVE-2025-14733 to its KEV Catalog and ordered FCEB agencies to patch Firebox firewalls within a week, by December 26th.

    Show sources
    Open in new tab
  3. 13.11.2025 09:23 3 articles · 1mo ago

    CISA adds CVE-2025-9242 to KEV catalog due to active exploitation

    CISA has added CVE-2025-9242 to its Known Exploited Vulnerabilities (KEV) catalog and has given Federal Civilian Executive Branch (FCEB) agencies three weeks, until December 3, to secure their systems against ongoing attacks as mandated by the Binding Operational Directive (BOD) 22-01. WatchGuard released security patches to address the vulnerability on September 17, but only tagged it as exploited in attacks almost one month later, on October 21. The number of vulnerable Firebox appliances worldwide has fallen to just over 54,000, according to Shadowserver's latest statistics, most of them located in Europe and North America.

    Show sources
    Open in new tab
  4. 18.09.2025 11:23 6 articles · 3mo ago

    WatchGuard releases patches for critical out-of-bounds write vulnerability in Firebox firewalls

    The vulnerability affects mobile user VPN with IKEv2 and the branch office VPN (BOVPN) using IKEv2 when configured with a dynamic gateway peer. The Shadowserver Foundation detected over 71,000 vulnerable devices as of October 17, 2025. As of November 12, 2025, over 54,300 Firebox instances remain vulnerable, with the U.S. having the highest number of vulnerable devices at 18,500.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Active Exploitation of Critical WatchGuard Fireware OS VPN Vulnerability (CVE-2025-14733)

WatchGuard has released patches for a critical out-of-bounds write vulnerability (CVE-2025-14733, CVSS 9.3) in Fireware OS, which is being actively exploited in the wild. The flaw affects the iked process and could allow remote unauthenticated attackers to execute arbitrary code. The vulnerability impacts various versions of Fireware OS, including 2025.1, 12.x, 12.5.x, and 12.3.1, while versions 11.x are end-of-life. WatchGuard has observed active exploitation attempts from several IP addresses, some of which are linked to recent Fortinet vulnerabilities. The company has provided indicators of compromise (IoCs) and temporary mitigation steps for affected devices.

Open in new tab

Active Exploitation of Unpatched Cisco AsyncOS Zero-Day in SEG and SEWM Appliances

Cisco has identified an unpatched, critical zero-day vulnerability (CVE-2025-20393) in AsyncOS, affecting Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. The flaw is actively exploited by a Chinese threat group, UAT-9686, to deploy backdoors and other malware. The attacks have been ongoing since at least late November 2025. Cisco recommends securing and restricting access to vulnerable appliances and advises customers to contact TAC for further assistance. The vulnerability allows threat actors to execute arbitrary commands with root privileges and deploy tools like AquaShell, AquaTunnel, Chisel, and AquaPurge. CISA has added CVE-2025-20393 to its Known Exploited Vulnerabilities (KEV) catalog, requiring FCEB agencies to apply mitigations by December 24, 2025. Additionally, GreyNoise detected a coordinated campaign targeting enterprise VPN infrastructure, including Cisco SSL VPN and Palo Alto Networks GlobalProtect portals.

Open in new tab

Fortinet FortiWeb Vulnerabilities Exploited in the Wild

Fortinet has disclosed a new medium-severity vulnerability (CVE-2025-58034) in FortiWeb, which is being actively exploited. This vulnerability, with a CVSS score of 6.7, allows authenticated attackers to execute unauthorized code via crafted HTTP requests or CLI commands. The flaw was patched in version 8.0.2. Additionally, Fortinet silently patched another critical FortiWeb vulnerability (CVE-2025-64446, CVSS score: 9.1) in the same version. Exploitation campaigns have been observed chaining these vulnerabilities to facilitate authentication bypass and command injection. Fortinet's handling of these disclosures has been criticized for its delayed and fragmented approach. This development highlights the ongoing risks associated with unpatched vulnerabilities in network security appliances and the importance of timely and transparent disclosure practices.

Open in new tab

Active Exploitation of Critical Microsoft WSUS Flaw

A critical vulnerability in Microsoft Windows Server Update Service (WSUS), CVE-2025-59287, is being actively exploited in the wild. This flaw, with a CVSS score of 9.8, allows attackers to drop malicious payloads and execute arbitrary commands on infected hosts. The vulnerability affects WSUS versions 3.32.x and was discovered by Eye Security and Huntress. The Cybersecurity and Infrastructure Security Agency (CISA) has ordered U.S. government agencies to patch the flaw, which was added to the Known Exploited Vulnerabilities catalog. Organizations using WSUS are advised to apply the out-of-band security updates provided by Microsoft to mitigate the risk of exploitation. The flaw was originally patched by Microsoft as part of its Patch Tuesday updates, but attackers have since weaponized it to deploy .NET executables and Base64-encoded PowerShell scripts. Shadowserver is tracking over 2,800 WSUS instances with default ports exposed online. The vulnerability is a deserialization of untrusted data flaw that allows unauthenticated attackers to achieve remote code execution with system privileges by sending malicious encrypted cookies to the GetCookie() endpoint. A compromised WSUS server could potentially be used to distribute malicious updates to the entire network of client computers, making it particularly dangerous for large enterprises. Huntress advised isolating network access to WSUS and blocking inbound traffic to TCP ports 8530 and 8531 as remediation steps. The out-of-band (OOB) security update KB5070881 for CVE-2025-59287 broke hotpatching on some Windows Server 2025 devices. Microsoft has released a new update, KB5070893, to address the issue without disrupting hotpatching. Administrators are advised to install this update to maintain hotpatching functionality.

Open in new tab

Critical WSUS RCE Vulnerability Exploited in the Wild

A critical remote code execution (RCE) vulnerability (CVE-2025-59287) in Windows Server Update Service (WSUS) is being actively exploited in the wild. The flaw allows attackers to run malicious code with SYSTEM privileges on Windows servers with the WSUS Server role enabled. Microsoft has released out-of-band patches for all affected Windows Server versions. Cybersecurity firms have observed exploitation attempts and the presence of publicly available proof-of-concept exploit code. The vulnerability is considered potentially wormable between WSUS servers and poses a significant risk to organizations. The flaw concerns a case of deserialization of untrusted data in WSUS. The vulnerability was discovered and reported by security researchers MEOW, f7d8c52bec79e42795cf15888b85cbad, and Markus Wulftange with CODE WHITE GmbH. CISA and NSA, along with international partners, have issued guidance to secure Microsoft Exchange Server instances, including recommendations to restrict administrative access, implement multi-factor authentication, and enforce strict transport security configurations. The agencies advise decommissioning end-of-life on-premises or hybrid Exchange servers after transitioning to Microsoft 365. Sophos reported threat actors exploiting the vulnerability to harvest sensitive data from U.S. organizations across various industries, with at least 50 victims identified. The exploitation activity was first detected on October 24, 2025, a day after Microsoft issued the update. Attackers use Base64-encoded PowerShell commands to exfiltrate data to a webhook[.]site endpoint. Michael Haag of Splunk noted an alternate attack chain involving the Microsoft Management Console binary (mmc.exe) to trigger cmd.exe execution. Recently, threat actors have been exploiting CVE-2025-59287 to distribute ShadowPad malware, a modular backdoor used by Chinese state-sponsored hacking groups. Attackers used PowerCat, certutil, and curl to obtain a system shell and download ShadowPad. The malware is launched via DLL side-loading and comes with anti-detection and persistence techniques.

Open in new tab