TL;DR
WatchGuard has patched seven WatchGuard Firebox vulnerabilities in its Fireware OS. The worst, CVE-2026-13368 (CVSS 9.2), lets a remote unauthenticated attacker run code on affected appliances. WatchGuard reports no exploitation in the wild, and no public proof-of-concept exists.
Why It Matters
Firebox appliances guard the network edge for many small and mid-sized firms. Therefore, a pre-auth flaw on this device exposes the whole perimeter. The critical bug needs no credentials, so any exposed VPN endpoint becomes a target. The other six flaws still deserve fast action, because they enable code execution or file tampering. Firewalls are prime targets, since one foothold can expose an entire internal network. Attackers also favor these devices for persistence, because admins rarely rebuild them.
How the Attacks Work
Critical: Unauthenticated Code Execution
CVE-2026-13368 is a race condition that leads to a use-after-free in the iked process. It affects the Mobile VPN with IKEv2 when it uses an external LDAP authentication server. An attacker triggers the flaw remotely, then runs code in that process context.
High-Severity: Authenticated Flaws
Six further Firebox vulnerabilities require an authenticated privileged user. Three are out-of-bounds writes in the ikestubd (CVE-2026-13383), wgagent (CVE-2026-13384), and networkd (CVE-2026-13050) processes. Each allows code execution through crafted requests to the Management Web UI. A path traversal bug (CVE-2026-13054) permits arbitrary file writes. Meanwhile, a firmware validation bypass (CVE-2026-13722) lets an admin install tampered firmware. Finally, an SSL VPN Windows client flaw (CVE-2026-13079) escalates a local user to SYSTEM.
Affected Versions
Most bugs affect Fireware OS 11.0 through 11.12.4_Update1, 12.0 through 12.12, 12.5 through 12.5.18, and 2025.1 through 2026.2. The exact range varies by advisory. The 11.x branch has reached end of life, so it stays unpatched.
Patch and Mitigation Steps
Update Fireware OS to 2026.2.1, or to 12.12.1 on the 12.x branch. The Mobile VPN with SSL client for Windows moves to version 2026.2.1. Note that 12.5.x on T15 and T35 models stays unresolved, so those users need extra care. Review each entry on the official WatchGuard PSIRT advisories page. Prioritize the critical IKEv2 flaw first, since it faces the internet without a login. Admins should also restrict Management Web UI access to trusted networks. These WatchGuard Firebox vulnerabilities carry no confirmed attacks yet, but the critical rating leaves little room to wait.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.