## https://sploitus.com/exploit?id=73EEBE51-AE2F-5F47-A126-A797684DC8DA
# CVE-2025-14733 โ WatchGuard Firebox iked Out-of-Bounds Write Analysis
## Overview
| Field | Detail |
|-------|--------|
| **CVE** | CVE-2025-14733 |
| **CVSS** | 9.8 (Critical) |
| **Type** | CWE-787: Out-of-bounds Write |
| **Component** | `iked` โ IKEv2 daemon on WatchGuard Firebox |
| **Attack Vector** | Network / Remote / Unauthenticated |
| **Prerequisite** | IKEv2 VPN configured with dynamic gateway peer |
| **Affected** | Fireware OS 11.10.2 through 12.11.5, 2025.1 through 2025.1.3 |
| **Fixed In** | Fireware v2025.1.4, v12.11.6, v12.5.15, v12.3.1_Update4 |
| **CISA KEV** | Added December 19, 2025 |
## Description
An out-of-bounds write vulnerability exists in the `iked` process of WatchGuard Fireware OS. A remote, unauthenticated attacker can send a specially crafted IKEv2 packet to achieve arbitrary code execution on the Firebox appliance. The vulnerability is in the IKE_SA_INIT request processing path and affects both Mobile User VPN with IKEv2 and Branch Office VPN using IKEv2 when configured with a dynamic gateway peer.
## References
- [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2025-14733)
- [WatchGuard Advisory WGSA-2025-00027](https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00027)
- [BleepingComputer Coverage](https://www.bleepingcomputer.com/news/security/over-115-000-watchguard-firewalls-vulnerable-to-ongoing-rce-attacks/)
- [CISA KEV Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
## Binary Analysis
Analysis performed on `iked` extracted from Fireware OS 12.10.3 (Build 694994) for the M440 platform (Lanner UP-2010 hardware).
### Binary Properties
```
File: ELF 64-bit LSB executable, x86-64
Compiler: GCC 6.5.0 (crosstool-NG 1.23.0.580-eb72b4e)
Linked: Dynamically linked
Stripped: Yes
Size: 2,456,952 bytes (2.4 MB)
```
### Security Mitigations
| Protection | Status | Notes |
|------------|--------|-------|
| NX (DEP) | Enabled | Stack is not executable |
| Stack Canary | **Disabled** | No stack overflow detection |
| PIE (ASLR) | **Disabled** | Fixed base address `0x400000` โ EXEC, not DYN |
| RELRO | Partial | GOT is writable |
| Sanitizers | None | No ASAN/UBSAN |
The lack of stack canaries and PIE/ASLR significantly reduces the difficulty of exploitation. Fixed addresses mean ROP gadget locations are deterministic across all installations running the same firmware version.
### Shared Library Dependencies
```
librsu_prepsa.so librsu_tsl.so librsu_lists.so
libvpnapi.so libssl.so.1.1 libsasl2.so.3
libldapcli.so libpthread.so.0 libcrypt.so.1
libcrypto.so.1.1 libwgipc.so libnl-3.so.200
libm.so.6 librt.so.1 libwgapi.so
libdatastruct.so libusertools.so libwglog.so
liblogxlate.so libwgidmap.so libcfgapi.so
libosysrtdom.so libosysdomapi.so libosysrtxml.so
libosysrt.so libiconv.so.2 libz.so.1
```
### Memory Functions Used
```
memcpy@GLIBC_2.14 memmove@GLIBC_2.2.5
malloc@GLIBC_2.2.5 calloc@GLIBC_2.2.5
realloc@GLIBC_2.2.5 hs_malloc (custom)
hs_free (custom) vpn_vchar_calloc (custom)
```
## Key Functions Identified
### IKEv2 SA_INIT Processing
The main entry point for IKE_SA_INIT request handling:
```
Function: ike2_Process_SAInit_Request
Address: 0x0054cbb0
Source: src/ike/iked/v2/ike2_IkeSAInit.c
```
This function handles incoming IKE_SA_INIT messages and dispatches to payload-specific parsers. It validates message state, checks negotiation role, and processes SA, KE, Nonce, and Notify payloads.
### Payload Processing Functions
Functions identified via string references in the binary:
**IKEv2 Parsers (input processing โ attack surface):**
```
ike2_parse_SA_Payload โ SA payload parser
ike2_parse_Attributes โ Transform attribute parser
ike2_ParsePayload_TS โ Traffic Selector parser
ike2_ParsePayload_DELETE โ Delete payload parser
ike2_ParsePayload_EAP โ EAP payload parser
ike2_ParsePayload_NOTIFY โ Notify payload parser
```
**IKEv1 KE Processing (shared code path):**
```
IkeInKeyXchgProcess โ Key Exchange payload processor
Source strings:
- "Invalid length in ECDH P1 KE Payload - %d"
- "Invalid length in ECDH P2 KE Payload %d"
- "Invalid length in P1 KE Payload - %d"
- "Invalid length in P2 KE Payload - %d"
```
**IKEv2 Builders (output โ less relevant):**
```
ike2_BuildPayload_SA ike2_BuildPayload_KE
ike2_BuildPayload_NONCE ike2_BuildPayload_NOTIFY
ike2_BuildPayload_Proposal ike2_BuildPayload_ID
ike2_BuildPayload_AUTH ike2_BuildPayload_CERT
ike2_BuildPayload_EAP ike2_BuildPayload_CFG
ike2_BuildPayload_DELETE ike2_BuildPayload_IkeHeader
```
**Notification Handlers:**
```
ike2_ProcessPayload_NOTIFY_COOKIE
ike2_ProcessPayload_NOTIFY_COOKIE2
ike2_ProcessPayload_NOTIFY_INVALID_KE
ike2_ProcessPayload_NOTIFY_NATD
ike2_ProcessPayload_NOTIFY_INVALID_SPI
ike2_ProcessPayload_NOTIFY_INVALID_SYNTAX
ike2_ProcessPayload_NOTIFY_AUTHENTICATION_FAILED
ike2_ProcessPayload_NOTIFY_INITIAL_CONTACT
ike2_ProcessPayload_NOTIFY_TS_UNACCEPTABLE
ike2_ProcessPayload_NOTIFY_NO_PROPOSAL_CHOSEN
ike2_ProcessPayload_NOTIFY_TEMPORARY_FAILURE
ike2_ProcessPayload_NOTIFY_CHILD_SA_NOT_FOUND
ike2_ProcessPayload_NOTIFY_INVALID_MAJOR_VERSION
ike2_ProcessPayload_NOTIFY_INVALID_MESSAGE_ID
ike2_ProcessPayload_NOTIFY_UNSUPP_CRIT_PAYLOAD
ike2_ProcessPayload_NOTIFY_AZURE_ERR
```
### Dynamic Gateway Peer Code
The vulnerability requires IKEv2 with a dynamic gateway peer configuration. Relevant strings:
```
"%sikePcy(%s) learned the dynamic peer ip as %s"
"%smainCb.numBVpnIkePcyWithDynamicPeer: %d reply->numBVpnIkePcyWithDynamicPeer:%d"
"%s%s: peer use dynamic IP, trying to use DNS to resolve peer IP"
"%sBOVPN no need to download SPs - dynamic peer ip(%s), ikePcy(%s)"
"%sdynamic peer ip for '%s' is changed (oldIP=%s, newIP=%s)"
```
## Length Validation Strings
These error messages reveal where the binary performs (or fails to perform) bounds checking:
```
"payload length:%d is larger than remaining message length:%d. Malformed packet!"
"peer %s sent payload length 0"
"the payload length(%u) is smaller than the payload header"
"illegal payload length(%u) total=%u"
"buffer too small. got: %zu required %zu"
"message size %u doesn't match the length field in the header %u)."
"message total length(%u) is smaller than the header size."
"DELETE payload length is smaller than expected (%u total length(%u)"
"proposal[#%u]'s transfrom[#%u]'s attribute[#%u]: invalid length (%d < %d)"
"Invalid length in ECDH P1 KE Payload - %d"
"Invalid length in ECDH P2 KE Payload %d"
"Invalid length in P1 KE Payload - %d"
"Invalid length in P2 KE Payload - %d"
"FULL BUFFER"
```
The presence of many length checks suggests WatchGuard was aware of parsing risks. The vulnerability exists where a check was **missing** or **insufficient** โ likely in a code path specific to the dynamic gateway peer configuration.
## IKE_SA_INIT Handler Disassembly Notes
The function at `0x54cbb0` (`ike2_Process_SAInit_Request`):
1. Validates input pointers (rdi, rsi, rdx)
2. Reads negotiation state from `[rsi + 0x488]` (2-byte field โ exchange type)
3. Checks exchange type against 1 (IKE_SA_INIT) and 2 (IKE_AUTH)
4. For IKE_SA_INIT (type 1), enters the payload processing loop
5. Iterates through payload types starting at `[r15 + 0x74]` (payload type byte)
6. Uses payload type as index into a function pointer table at `[r15 + rcx*8 + 0x98]`
7. Calls logging via `wglog_trace_r` for debug output
The source file is confirmed as `src/ike/iked/v2/ike2_IkeSAInit.c` via embedded debug strings.
## Attack Surface
For this vulnerability to be exploitable on a target:
1. **IKEv2 VPN must be enabled** โ either Mobile VPN with IKEv2 or BOVPN with IKEv2
2. **Dynamic gateway peer** must be configured โ static peer-to-peer BOVPNs may not be affected
3. **UDP port 500 and/or 4500** must be reachable from the attacker
4. The attacker sends a crafted **IKE_SA_INIT** request โ no authentication required
## Exploitation Considerations
- **No PIE**: All code and data addresses are fixed โ ROP gadgets are at known locations
- **No canary**: Stack buffer overflows directly overwrite return addresses
- **Partial RELRO**: GOT entries can be overwritten to hijack function calls
- **NX enabled**: Shellcode cannot execute on the stack โ requires Return-Oriented Programming (ROP)
- **Multi-threaded**: `iked` links libpthread โ crashes in one thread may not kill the process
## Firmware Extraction
The `iked` binary was extracted from the Fireware OS update package:
```
Firmware: firebox_M440_12_10_3.zip
Format: WatchGuard sysa-dl (proprietary container)
Contents: gzip-compressed ext2 filesystem image
Binary: /usr/bin/iked (partition 3 root filesystem)
```
The sysa-dl format consists of:
- 24-byte header (MD5 + file_size + magic)
- Sections: REBOOT, info, sysa_gzip, WGPKG, SIGN, HMAC
- The `sysa_gzip` section contains the gzip-compressed ext2 disk image
## Remediation
**Immediate:** Update to Fireware v2025.1.4, v12.11.6, v12.5.15, or v12.3.1_Update4.
If updating is not possible:
- Disable IKEv2 VPN services if not required
- Restrict UDP 500/4500 access to known peer addresses only
- Monitor for anomalous IKE_SA_INIT traffic patterns
- Check for indicators of compromise per WatchGuard advisory
## Disclaimer
This analysis was performed for educational and defensive security research purposes on end-of-life hardware owned by the researcher. No exploit code is provided. The information is intended to help defenders understand the vulnerability and assess their exposure.
## License
This research documentation is provided as-is for informational purposes only.