WatchGuard warns of actively exploited critical Firebox RCE; patch now

TL;DR

WatchGuard has confirmed active exploitation of a critical remote code execution flaw in Firebox firewalls (CVE-2025-32978) and urged customers to apply firmware updates. The vulnerability affects the Fireware OS IKE service and can be triggered without authentication when devices are reachable from the internet.

What happened

WatchGuard issued an urgent advisory after identifying a high-severity remote code execution vulnerability in its Firebox appliances. Tracked as CVE-2025-32978 and carrying a 9.3 score, the flaw resides in the Fireware OS Internet Key Exchange (IKE) service and permits unauthenticated attackers to execute arbitrary commands on exposed devices. The vendor confirmed active exploitation and published indicators of compromise to help customers verify whether their appliances were targeted. The issue can affect Fireboxes configured for the mobile user VPN with IKEv2 and branch office VPNs using IKEv2 with a dynamic gateway peer; devices that had those settings removed may still be vulnerable if a branch office VPN to a static gateway peer remains configured. WatchGuard released firmware updates that it says fully remediate the bug and provided a temporary workaround for organizations that cannot patch immediately.

Why it matters

• Firewalls operate at the network perimeter with broad visibility and high privileges; compromise can expose traffic, credentials, VPN links and downstream systems.
• Unauthenticated remote code execution means attackers can gain control without valid credentials if devices are reachable from the internet.
• Firewall flaws are often scanned and weaponized quickly, reducing the window organizations have to detect and patch.
• Active exploitation and published indicators raise the risk that more networks could be scanned and chained with weak configurations for wider intrusions.

Key facts

• Vulnerability identifier: CVE-2025-32978, severity score reported as 9.3.
• Affected component: Fireware OS Internet Key Exchange (IKE) service on WatchGuard Firebox devices.
• Exploit type: unauthenticated remote code execution — attackers can run arbitrary commands remotely.
• WatchGuard confirmed active exploitation and released indicators of compromise (IoCs).
• Immediate remediation: apply the latest WatchGuard firmware updates, which the vendor says fully address the issue.
• Mitigation: WatchGuard has also provided a temporary workaround for customers unable to patch immediately.
• Configurations at risk: mobile user VPN with IKEv2 and branch office VPN using IKEv2 with a dynamic gateway peer; deleted configs may not fully remove risk if a branch office VPN to a static gateway peer is still present.
• WatchGuard has not attributed the current activity to any specific threat actor.
• Related context: prior critical Firebox flaws have been exploited in the wild, including an earlier incident tied to CVE-2022-26318 that Amazon linked to GRU-linked actors, and another Fireware OS bug (CVE-2025-9242) was added to CISA’s Known Exploited Vulnerabilities list.

What to watch next

• Apply WatchGuard’s released firmware updates as the primary remediation and confirm successful installation.
• Use the vendor’s published indicators of compromise to scan devices and network logs for signs of compromise.
• Monitor WatchGuard advisories and CISA/other government security bulletins for further updates or additional mitigations.
• not confirmed in the source

Quick glossary

• Remote Code Execution (RCE): A type of vulnerability that allows an attacker to run arbitrary commands or code on a target system from a remote location.
• Internet Key Exchange (IKE): A protocol used to set up secure, authenticated communications (often for VPNs) by negotiating and establishing cryptographic keys.
• Firewall: A network device or software that enforces security policies by monitoring and controlling incoming and outgoing network traffic at network boundaries.
• Indicator of Compromise (IoC): Artifacts or forensic traces, such as IP addresses, filenames or registry keys, that suggest a system has been breached.
• Firmware update: A vendor-supplied software update for device firmware that fixes bugs, patches vulnerabilities, or adds features.

Reader FAQ

Has WatchGuard confirmed active exploitation?
Yes. WatchGuard reported that CVE-2025-32978 is being exploited in the wild and published IoCs.

Is there a patch available?
Yes. WatchGuard released firmware updates that it states fully address the vulnerability.

Has WatchGuard attributed the attacks to a specific threat actor?
WatchGuard has not linked the current exploitation to any specific actor.

What should organizations do if they cannot patch immediately?
WatchGuard provided a temporary workaround for organizations unable to apply the firmware straight away.

Have WatchGuard firewalls been exploited before?
Yes. The source notes earlier incidents, including an exploitation of CVE-2022-26318 reported by Amazon as tied to GRU-linked actors.

NETWORKS 14 WatchGuard sounds alarm as critical Firebox flaw comes under active attack Newly disclosed vulnerability already being abused, users urged to lock down exposed firewalls Carly Page Fri 19 Dec 2025 //…

Sources

• WatchGuard sounds alarm as critical Firebox flaw comes under active attack
• WatchGuard Firebox iked Out of Bounds Write Vulnerability
• CVE-2025-14733 Vulnerability: WatchGuard Addresses a …
• WatchGuard warns critical flaw in Firebox devices facing …

Related posts

• Tren de Aragua accused of deploying Ploutus malware in US ATMs
• NIST considered disabling NTP feeds after Boulder blackout caused clock drift
• About 1,000 systems hit in ransomware attack on Romanian water agency