Skip to main content

WatchGuard Fireware OS CVE-2026-13368

| EUVDEUVD-2026-41456 CRITICAL
Use After Free (CWE-416)
2026-07-02 WatchGuard GHSA-fp7c-rxxp-rx8q
9.2
CVSS 4.0 · Vendor: WatchGuard
Share

Severity by source

Vendor (WatchGuard) PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Remote unauthenticated network reach (AV:N/PR:N/UI:N) but a hard-to-win memory race raises AC:H; full RCE in iked gives C/I/A:H with no scope change (SC/SI/SA=N).

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (WatchGuard).

CVSS VectorVendor: WatchGuard

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 23:52 vuln.today

DescriptionCVE.org

WatchGuard Fireware OS contains a race condition leading to a use-after-free vulnerability in LDAP authentication for the Mobile User VPN with IKEv2. A remote unauthenticated attacker could exploit this vulnerability to execute arbitrary code in the context of the iked process on Fireboxes that have a Mobile VPN with IKEv2 configured to use an external LDAP authentication server.

This vulnerability affects Fireware OS 11.0 up to and including 11.12.4_Update1, 12.0 up to and including 12.12 and 2025.1 up to and including 2026.2.

AnalysisAI

Remote code execution in WatchGuard Fireware OS affects Fireboxes running a Mobile User VPN with IKEv2 that authenticates against an external LDAP server. A race condition in the IKEv2 LDAP authentication path can be driven into a use-after-free (CWE-416) inside the iked daemon, letting a remote unauthenticated attacker execute arbitrary code in the context of that process. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify internet-facing Firebox IKEv2 endpoint
Delivery
Initiate repeated IKEv2 negotiations
Exploit
Race LDAP auth to trigger use-after-free
Execution
Reuse freed object in iked
Impact
Execute arbitrary code as iked process

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target Firebox has a Mobile VPN with IKEv2 configured AND that this VPN is set to authenticate against an external LDAP authentication server - this exact configuration is the necessary precondition; Fireboxes without Mobile VPN IKEv2, or ones using local/RADIUS authentication, are not exploitable through this path. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a genuine high-priority issue for exposed Fireboxes with the affected feature set, but the raw 9.2 score should be read against its metric composition. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker locates an internet-facing Firebox whose Mobile VPN with IKEv2 authenticates users via LDAP, then repeatedly initiates IKEv2 negotiations timed to trigger the authentication race condition. On a successful race, the freed object in iked is reused under attacker control, giving arbitrary code execution as the iked process without any valid credentials. …
Remediation Patch available per vendor advisory - consult WatchGuard PSIRT advisory WGSA-2026-00023 (https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00023) for the fixed Fireware OS build corresponding to your release line (11.x, 12.x, or 2025.x/2026.x) and upgrade to it; an exact fixed version number is not present in the available data and should be taken from the advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all WatchGuard Fireboxes to identify systems with Mobile User VPN enabled using IKEv2 and external LDAP authentication and quantify exposure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2015-5453 MEDIUM POC
6.5 Jul 08

Watchguard XCS 9.2 and 10.0 before build 150522 allow remote authenticated users to execute arbitrary commands via shell

CVE-2015-5452 HIGH POC
7.5 Jul 08

SQL injection vulnerability in Watchguard XCS 9.2 and 10.0 before build 150522 allows remote attackers to execute arbitr

CVE-2022-26318 CRITICAL POC
9.8 Mar 04

On WatchGuard Firebox and XTM appliances, an unauthenticated user can execute arbitrary code, aka FBX-22786. Rated criti

CVE-2018-10575 CRITICAL POC
9.8 Apr 30

An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Rated critical seve

CVE-2018-10577 HIGH POC
8.8 May 02

An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15, and AP300 devices w

CVE-2016-7089 HIGH POC
7.8 Aug 24

WatchGuard RapidStream appliances allow local users to gain privileges and execute arbitrary commands via a crafted ifco

CVE-2018-10576 HIGH POC
7.8 Apr 30

An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Rated high severity

CVE-2017-14616 HIGH POC
7.5 Sep 20

An FBX-5312 issue was discovered in WatchGuard Fireware before 12.0. Rated high severity (CVSS 7.5), this vulnerability

CVE-2017-8056 MEDIUM POC
5.3 Apr 22

WatchGuard Fireware v11.12.1 and earlier mishandles requests referring to an XML External Entity (XXE), in the XML-RPC a

CVE-2022-31790 HIGH POC
7.5 Sep 06

WatchGuard Firebox and XTM appliances allow an unauthenticated remote attacker to retrieve sensitive authentication serv

CVE-2020-10532 HIGH POC
7.5 Mar 12

The AD Helper component in WatchGuard Fireware before 5.8.5.10317 allows remote attackers to discover cleartext password

CVE-2017-14615 MEDIUM POC
6.1 Sep 20

An FBX-5313 issue was discovered in WatchGuard Fireware before 12.0. Rated medium severity (CVSS 6.1), this vulnerabilit

Share

CVE-2026-13368 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy