Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN885
_____________________________________________________________________

DATE                : 19/12/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Fireware OS versions prior to 2025.1.4, 12.11.6,
                           12.5.15, 12.3.1_Update4 (B728352).

=====================================================================
https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00027
_____________________________________________________________________

WatchGuard Firebox iked Out of Bounds Write Vulnerability
Advisory ID       WGSA-2025-00027
CVE              CVE-2025-14733
Impact           Critical
Status           Resolved
Product Family   Firebox
Published Date   2025-12-18
Updated Date     2025-12-19
Workaround Available   False
CVSS Score             9.3
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Red


Summary

An Out-of-bounds Write vulnerability in the WatchGuard Fireware OS iked
process may allow a remote unauthenticated attacker to execute
arbitrary code. This vulnerability affects both the mobile user VPN
with IKEv2 and the branch office VPN using IKEv2 when configured with
a dynamic gateway peer.
If the Firebox was previously configured with the mobile user VPN with
IKEv2 or a branch office VPN using IKEv2 to a dynamic gateway peer,
and both of those configurations have since been deleted, that Firebox
may still be vulnerable if a branch office VPN to a static gateway
peer is still configured.
WatchGuard has observed threat actors actively attempting to exploit
this vulnerability in the wild.


Indicators of Attack

We are providing the following Indicators of Attack (IoAs) to help
device owners identify potential attempts to exploit this vulnerability
against vulnerable Firebox appliances. These IoAs are only applicable
on devices that lack the resolution described later in this advisory.
IP Addresses

The following IP addresses are directly associated with known threat
actor activity. These are a strong indicator of attack:

    45.95.19[.]50
    51.15.17[.]89
    172.93.107[.]67
    199.247.7[.]82


Logs

Invalid peer certificate chain

With the iked diagnostic logging set to the default error logging level,
the iked process generates a log message when the Firebox receives an
IKE2 Auth payload with more than 8 certificates. This is a medium
indicator of attack that the WatchGuard Threat Lab has observed
associated with some threat actor activity.
1970-01-01 01:00:00 2025 Firebox-Name local3.err iked[2938]: (203.0.113.1<->203.0.113.2)
Received peer certificate chain is longer than 8. Reject this
certificate chain


Abnormally large IKE_AUTH request CERT payload

With the iked diagnostic logging set to the info logging level, the
iked process generates a log message when the Firebox receives an
IKE_AUTH request message. An IKE_AUTH request log message with an
abnormally large CERT payload size (greater than 2000 bytes) is a
strong indicator of an attack. This is a strong indicator of
attack.

1970-01-01 01:00:00 iked (203.0.113.1<->203.0.113.2)"IKE_AUTH request" message has 6 payloads [ IDi(sz=21) CERT(sz=3000) SA(sz=44) TSi(sz=24) TSr(sz=24) N(sz=8)]


Device Behavior

IKE process hang

During a successful exploit, the IKED process (responsible for
handling IKE negotiations) will hang, interrupting VPN tunnel
negotiations and re-keys. This is a strong indicator of attack.
Existing tunnels may continue to pass traffic.


IKE process crash

After a failed or successful exploit, the IKED process will
crash and generate a fault report on the Firebox. Be aware,
there are other situations that could cause the IKED process
to crash. This is a weak indicator of attack.


Affected

This vulnerability affects Fireware OS 11.10.2 up to and
including 11.12.4_Update1, 12.0 up to and including 12.11.5
and 2025.1 up to and including 2025.1.3.


Resolution

Vulnerable Version 	Resolved Version
2025.1 	2025.1.4
12.x 	12.11.6
12.5.x (T15 & T35 models) 	12.5.15
12.3.1 (FIPS-certified release) 	12.3.1_Update4 (B728352)
11.x 	End of Life

In addition to installing the latest Fireware OS that contains
the fix, administrators that have confirmed threat actor
activity on their Firebox appliances must take precautions to
rotate all locally stored secrets on vulnerable Firebox
appliances as described in our Best Practices to Rotate
Shared Secrets Stored on the Firebox knowledge base article.


Workaround

If your Firebox is only configured with Branch Office VPN
tunnels to static gateway peers and you are not able to
immediately upgrade the device to a version of Fireware OS
with the vulnerability resolution, you can follow
WatchGuard’s recommendations for Secure Access to
Branch Office VPNs that Use IPSec and IKEv2 as a temporary
workaround.


Advisory Product List

Product Family
	Product Branch
	Product List
Firebox
	Fireware OS 12.5.x
	T15, T35
Firebox
	Fireware OS 2025.1.x
	T115-W, T125, T125-W, T145, T145-W, T185
Firebox
	Fireware OS 12.x
	T20, T25, T40, T45, T55, T70, T80, T85, M270, M290,
M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800,
M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV 


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================