Watchguard
Monthly
Authenticated command execution in WatchGuard Fireware OS lets a privileged administrator escalate a specially crafted CLI command into arbitrary code execution via an out-of-bounds write (CWE-787). The flaw affects a very broad version span (Fireware OS 11.0 through 11.12.4_Update1, 12.0 through 12.12, and 2025.1 through 2026.2), placing most currently and historically deployed WatchGuard Firebox appliances in scope. No public exploit identified at time of analysis and the issue is not listed in CISA KEV; the CVSS 4.0 score of 8.6 reflects full confidentiality/integrity/availability impact once the required privileged access is obtained.
Remote code execution in WatchGuard Fireware OS (the operating system powering Firebox network security appliances) allows an authenticated privileged administrator to run arbitrary code on the firewall by sending specially crafted requests to the Management Web UI, which trigger an out-of-bounds write in the networkd process. The flaw spans a wide version range (11.8 through 11.12.4_Update1, 12.0 through 12.12, and 2025.1 through 2026.2) and carries a CVSS 4.0 base score of 8.6 (High). It was reported by WatchGuard's own PSIRT; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Arbitrary file write in the WatchGuard Fireware OS Management Web UI lets a privileged, authenticated administrator escape the intended directory and write files anywhere on a Firebox appliance's filesystem, per CVSS 4.0 (AV:N/PR:H). This affects Fireware OS across the 11.x, 12.x, and 2025.1-2026.2 branches and can be leveraged to tamper with configuration or system binaries, potentially leading to code execution or device compromise. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in WatchGuard Mobile VPN with SSL client for Windows (versions up to and including 2026.2) lets an authenticated local attacker elevate from a low-privileged account to NT AUTHORITY\SYSTEM on any machine where the client is installed. The flaw is rooted in insecure permission assignment (CWE-732), and there is no public exploit identified at time of analysis, though the vendor-reported nature and full high-impact CVSS (7.3, CVSS 4.0) make it a meaningful endpoint-hardening concern.
Remote code execution in WatchGuard Fireware OS (the firmware powering WatchGuard Firebox firewall appliances) allows an unauthenticated attacker positioned on the same local/adjacent network segment to trigger an out-of-bounds write and execute arbitrary code. The flaw spans a wide firmware range - 11.0 through 11.12.4_Update1, 12.0 through 12.12, and 2025.1 through 2026.2 - and was self-reported by WatchGuard via its PSIRT. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-adjacent, unauthenticated, high-impact profile makes it a serious perimeter-device concern.
WatchGuard Fireware OS deployed in FireCluster high-availability configurations falls back to a static, hard-coded encryption key to protect saved Access Portal credentials under unspecified exception circumstances, meaning any actor who can retrieve those encrypted credential stores can decrypt them offline using the known firmware key. Affected builds span Fireware OS 12.1 through 12.12 and 2025.1 through 2026.2; standalone Fireboxes and devices without Access Portal support are explicitly out of scope. No public exploit has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog, but CWE-798 class flaws become broadly exploitable once the static key is extracted from firmware through reverse engineering.
Denial-of-service in WatchGuard Fireware OS lets a remote, unauthenticated attacker crash the IKEv2 VPN service by sending specially crafted IKEv2 messages that trigger a null pointer dereference (CWE-476). The flaw affects appliances running Mobile User VPN with IKEv2 or Branch Office VPN over IKEv2 with a dynamic gateway peer, spanning Fireware OS 11.10.2 through 2026.2. No public exploit identified at time of analysis; the CVSS 4.0 score of 8.7 reflects high availability impact with no confidentiality or integrity loss.
Remote code execution in WatchGuard Fireware OS affects Fireboxes running a Mobile User VPN with IKEv2 that authenticates against an external LDAP server. A race condition in the IKEv2 LDAP authentication path can be driven into a use-after-free (CWE-416) inside the iked daemon, letting a remote unauthenticated attacker execute arbitrary code in the context of that process. No public exploit identified at time of analysis, and the CVSS 4.0 base score of 9.2 is tempered by high attack complexity and a probabilistic attack requirement (AC:H/AT:P), reflecting the difficulty of reliably winning the race.
Firmware signature validation bypass in WatchGuard Fireware OS lets an authenticated administrator upload a tampered firmware image through the backup/restore feature and have it installed despite failing integrity checks. Affecting Fireware OS branches 11.0 through 11.12.4_Update1, 12.0 through 12.12, and 2025.1 through 2025.6.2, the flaw (CWE-347) enables persistent malicious code on the appliance. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the high integrity/confidentiality/availability impact and the appliance's privileged network position make it significant.
Authenticated arbitrary code execution in WatchGuard Fireware OS (12.1-12.12 and 2025.1-2026.2) arises from an out-of-bounds write in the wgagent process, reachable when a privileged user sends specially crafted requests to the Management Web UI. A high-privilege attacker (or one who has compromised admin credentials) can corrupt memory to run code on the firewall appliance, undermining the security gateway itself. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.
Arbitrary code execution in WatchGuard Fireware OS (the firmware powering Firebox network security appliances) arises from an out-of-bounds write in the ikestubd process, reachable through the Management Web UI. An authenticated user holding privileged (administrative) access can send specially crafted requests to corrupt memory and execute code on the appliance. No public exploit identified at time of analysis and the issue is not listed in CISA KEV; risk is bounded by the requirement for existing privileged access.
Stored XSS in WatchGuard Fireware OS's SIP Proxy module enables a high-privileged attacker to plant persistent malicious JavaScript that executes in the browsers of other privileged users who access affected management interface pages. Covering Fireware OS versions 12.0 through 12.12, 12.5 through 12.5.18, and 2025.1 through 2026.2, this CVE is explicitly disclosed as an additional, previously unmitigated attack path for CVE-2025-6947 - meaning organizations that applied the prior patch may incorrectly believe their exposure is closed. No public exploit has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.
Stored XSS in WatchGuard Fireware OS's spamBlocker module enables a high-privileged attacker to persist malicious JavaScript that executes in the browsers of other authenticated users viewing the affected management interface. This vulnerability is explicitly identified as an additional, unmitigated attack path bypassing the remediation applied for CVE-2025-1071, indicating the original fix was incomplete. The CVSS 4.0 vector scores this at 4.8 (Medium), with no confirmed active exploitation and no public exploit identified at time of analysis.
Stored cross-site scripting in WatchGuard Fireware OS's Autotask Technology Integration module allows a high-privileged attacker to inject persistent malicious scripts that execute in the browsers of other users who view the affected management interface pages. Affecting Fireware OS versions 12.4 through 12.12, 12.5 through 12.5.18, and 2025.1 through 2026.2, this flaw is explicitly described as an additional unmitigated attack path alongside the related CVE-2025-13938, suggesting prior remediation efforts were incomplete. No public exploit code or confirmed active exploitation has been identified at time of analysis.
Stored cross-site scripting in WatchGuard Fireware OS via the ConnectWise Technology Integration module allows a highly privileged attacker to inject persistent malicious scripts into the web management interface, which then execute in the browsers of other authenticated users who view the affected pages. This vulnerability is explicitly described as an additional, previously unmitigated attack path for CVE-2025-13937, indicating that the prior remediation was incomplete and a bypass exists. No public exploit code or CISA KEV listing has been identified at time of analysis, but the relationship to an earlier CVE suggests at least some organizational knowledge of the attack surface.
Stored XSS in WatchGuard Fireware OS's Tigerpaw Technology Integration module allows a high-privileged attacker to persist malicious scripts within the management interface, which then execute in the browsers of other authenticated users who visit the affected pages. Critically, this CVE is identified as an additional unmitigated attack path for CVE-2025-13936, indicating an incomplete remediation of a prior related XSS flaw in the same integration module. Affected versions span the 12.4, 12.5, and 2025.x/2026.x release trains; no public exploit or CISA KEV listing has been identified at time of analysis.
Local privilege escalation in WatchGuard Agent for Windows allows authenticated users to execute arbitrary code with elevated system privileges through DLL hijacking. The agent searches for dependencies in user-controllable directories, enabling attackers with standard user credentials to plant malicious DLLs that load when the service starts. WatchGuard has released version 1.25.03.0000 to address this uncontrolled search path vulnerability (CWE-427).
Hard-coded cryptographic key in WatchGuard Agent for Windows enables local authenticated attackers to inject malicious code into existing agent processes, achieving high-impact confidentiality, integrity, and availability compromise. WatchGuard Agent versions prior to 1.25.03.0000 are affected. CVSS v4.0 score of 8.5 reflects local attack vector with low complexity and low privilege requirements, though no active exploitation (KEV) or public POC has been identified at time of analysis. The vulnerability's CWE-321 classification indicates embedded cryptographic material that could be extracted and reused for process injection attacks.
Privilege escalation in WatchGuard Agent for Windows allows authenticated local users to gain NT AUTHORITY\SYSTEM privileges via incorrect permissions in the patch management component. CVSS 7.3 with low attack complexity and local attack vector. No active exploitation or public exploit code identified at time of analysis. EPSS data not available - real-world risk depends on defender endpoint deployment environments where local user access is already established.
Stack-based buffer overflow in WatchGuard Agent discovery service on Windows enables adjacent attackers without authentication to crash the agent via crafted network packets. CVSS 7.1 (High) reflects adjacent network attack vector with high integrity impact. The vulnerability targets the discovery service component used for agent enrollment and network communication. No CISA KEV listing or public exploit code identified at time of analysis, though the local network attack vector limits exposure to adjacent attackers.
Stack-based buffer overflow in WatchGuard Agent's discovery service allows adjacent network attackers to crash the agent service without authentication. Affects Windows installations prior to version 1.25.03.0000. Vendor patch released addressing the vulnerability. SSVC framework indicates no active exploitation observed and manual exploitation required. While CVSS 7.1 (High) reflects network-adjacent access with high availability impact, actual risk is limited to denial-of-service - no code execution or data compromise possible per the CVSS vector (VC:N/VI:N/VA:H).
Improper Privilege Management vulnerability in WatchGuard EPDR, Panda AD360 and Panda Dome on Windows (PSANHost.exe module) allows arbitrary file delete with SYSTEM permissions.00.23.0000; Panda. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Improper Handling of Exceptional Conditions vulnerability in the WatchGuard Single Sign-On Client on Windows causes the client to crash while handling malformed commands. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Incorrect Authorization vulnerability in WatchGuard Authentication Gateway (aka Single Sign-On Agent) on Windows allows an attacker with network access to execute restricted management commands.10.2. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Incorrect Authorization vulnerability in the protocol communication between the WatchGuard Authentication Gateway (aka Single Sign-On Agent) on Windows and the WatchGuard Single Sign-On Client on. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A buffer overflow in WatchGuard Fireware OS could may allow an authenticated remote attacker with privileged management access to execute arbitrary code with system privileges on the firewall.9.6. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A local privilege escalation vlnerability in the WatchGuard Mobile VPN with SSL client on Windows enables a local user to execute arbitrary commands with elevated privileged. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in WatchGuard AuthPoint Password Manager on MacOS allows an a adversary with local access to execute. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
An issue was discovered in WatchGuard EPDR 8.0.21.0002. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
An issue was discovered in WatchGuard EPDR 8.0.21.0002. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
An issue was discovered in WatchGuard EPDR 8.0.21.0002. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
An issue was discovered in WatchGuard EPDR 8.0.21.0002. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
A stored cross-site scripting (XSS) vulnerability exists in the management web interface of WatchGuard Firebox and XTM appliances. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
WatchGuard Firebox and XTM appliances allow a local attacker (that has already obtained shell access) to elevate their privileges and execute code with root permissions. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
An integer overflow in WatchGuard Firebox and XTM appliances allows an unauthenticated remote attacker to trigger a buffer overflow and potentially execute arbitrary code by sending a malicious. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
WatchGuard Firebox and XTM appliances allow an unauthenticated remote attacker to retrieve sensitive authentication server settings by sending a malicious request to exposed authentication endpoints. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WatchGuard Firebox and XTM appliances allow an unauthenticated remote attacker to delete arbitrary files from a limited set of directories on the system. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
On WatchGuard Firebox and XTM appliances, an unauthenticated user can execute arbitrary code, aka FBX-22786. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WatchGuard Firebox and XTM appliances allow an authenticated remote attacker with unprivileged credentials to modify privileged management user credentials. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
WatchGuard Firebox and XTM appliances allow an authenticated remote attacker with unprivileged credentials to upload files to arbitrary locations. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A systemd stack-based buffer overflow in WatchGuard Firebox and XTM appliances allows an authenticated remote attacker to potentially execute arbitrary code by initiating a firmware update with a. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A wgagent stack-based buffer overflow in WatchGuard Firebox and XTM appliances allows an authenticated remote attacker to potentially execute arbitrary code by initiating a firmware update with a. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An integer overflow in WatchGuard Firebox and XTM appliances allows an authenticated remote attacker to trigger a heap-based buffer overflow and potentially execute arbitrary code by initiating a. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
WatchGuard Firebox and XTM appliances allow an authenticated remote attacker with unprivileged credentials to retrieve certificate private keys. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Nagios XI WatchGuard Wizard before version 1.4.8 is vulnerable to remote code execution through Improper neutralisation of special elements used in an OS Command (OS Command injection). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The AD Helper component in WatchGuard Fireware before 5.8.5.10317 allows remote attackers to discover cleartext passwords via the /domains/list URI. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15, and AP300 devices with firmware before 2.0.0.10. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15, and AP300 devices with firmware before 2.0.0.10. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An FBX-5312 issue was discovered in WatchGuard Fireware before 12.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An FBX-5313 issue was discovered in WatchGuard Fireware before 12.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WatchGuard Fireware v11.12.1 and earlier mishandles requests referring to an XML External Entity (XXE), in the XML-RPC agent. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 11.4%.
WatchGuard Fireware allows user enumeration, e.g., in the Firebox XML-RPC login handler. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WatchGuard RapidStream appliances allow local users to gain privileges and execute arbitrary commands via a crafted ifconfig command, aka ESCALATEPLOWMAN. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Watchguard XCS 9.2 and 10.0 before build 150522 allow remote authenticated users to execute arbitrary commands via shell metacharacters in the id parameter to ADMIN/mailqueue.spl. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 72.5%.
SQL injection vulnerability in Watchguard XCS 9.2 and 10.0 before build 150522 allows remote attackers to execute arbitrary SQL commands via the sid cookie, as demonstrated by a request to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 36.7%.
Multiple cross-site scripting (XSS) vulnerabilities in the firewall policy management pages in WatchGuard Fireware XTM before 11.8.3 allow remote attackers to inject arbitrary web script or HTML via. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.
Authenticated command execution in WatchGuard Fireware OS lets a privileged administrator escalate a specially crafted CLI command into arbitrary code execution via an out-of-bounds write (CWE-787). The flaw affects a very broad version span (Fireware OS 11.0 through 11.12.4_Update1, 12.0 through 12.12, and 2025.1 through 2026.2), placing most currently and historically deployed WatchGuard Firebox appliances in scope. No public exploit identified at time of analysis and the issue is not listed in CISA KEV; the CVSS 4.0 score of 8.6 reflects full confidentiality/integrity/availability impact once the required privileged access is obtained.
Remote code execution in WatchGuard Fireware OS (the operating system powering Firebox network security appliances) allows an authenticated privileged administrator to run arbitrary code on the firewall by sending specially crafted requests to the Management Web UI, which trigger an out-of-bounds write in the networkd process. The flaw spans a wide version range (11.8 through 11.12.4_Update1, 12.0 through 12.12, and 2025.1 through 2026.2) and carries a CVSS 4.0 base score of 8.6 (High). It was reported by WatchGuard's own PSIRT; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Arbitrary file write in the WatchGuard Fireware OS Management Web UI lets a privileged, authenticated administrator escape the intended directory and write files anywhere on a Firebox appliance's filesystem, per CVSS 4.0 (AV:N/PR:H). This affects Fireware OS across the 11.x, 12.x, and 2025.1-2026.2 branches and can be leveraged to tamper with configuration or system binaries, potentially leading to code execution or device compromise. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in WatchGuard Mobile VPN with SSL client for Windows (versions up to and including 2026.2) lets an authenticated local attacker elevate from a low-privileged account to NT AUTHORITY\SYSTEM on any machine where the client is installed. The flaw is rooted in insecure permission assignment (CWE-732), and there is no public exploit identified at time of analysis, though the vendor-reported nature and full high-impact CVSS (7.3, CVSS 4.0) make it a meaningful endpoint-hardening concern.
Remote code execution in WatchGuard Fireware OS (the firmware powering WatchGuard Firebox firewall appliances) allows an unauthenticated attacker positioned on the same local/adjacent network segment to trigger an out-of-bounds write and execute arbitrary code. The flaw spans a wide firmware range - 11.0 through 11.12.4_Update1, 12.0 through 12.12, and 2025.1 through 2026.2 - and was self-reported by WatchGuard via its PSIRT. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-adjacent, unauthenticated, high-impact profile makes it a serious perimeter-device concern.
WatchGuard Fireware OS deployed in FireCluster high-availability configurations falls back to a static, hard-coded encryption key to protect saved Access Portal credentials under unspecified exception circumstances, meaning any actor who can retrieve those encrypted credential stores can decrypt them offline using the known firmware key. Affected builds span Fireware OS 12.1 through 12.12 and 2025.1 through 2026.2; standalone Fireboxes and devices without Access Portal support are explicitly out of scope. No public exploit has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog, but CWE-798 class flaws become broadly exploitable once the static key is extracted from firmware through reverse engineering.
Denial-of-service in WatchGuard Fireware OS lets a remote, unauthenticated attacker crash the IKEv2 VPN service by sending specially crafted IKEv2 messages that trigger a null pointer dereference (CWE-476). The flaw affects appliances running Mobile User VPN with IKEv2 or Branch Office VPN over IKEv2 with a dynamic gateway peer, spanning Fireware OS 11.10.2 through 2026.2. No public exploit identified at time of analysis; the CVSS 4.0 score of 8.7 reflects high availability impact with no confidentiality or integrity loss.
Remote code execution in WatchGuard Fireware OS affects Fireboxes running a Mobile User VPN with IKEv2 that authenticates against an external LDAP server. A race condition in the IKEv2 LDAP authentication path can be driven into a use-after-free (CWE-416) inside the iked daemon, letting a remote unauthenticated attacker execute arbitrary code in the context of that process. No public exploit identified at time of analysis, and the CVSS 4.0 base score of 9.2 is tempered by high attack complexity and a probabilistic attack requirement (AC:H/AT:P), reflecting the difficulty of reliably winning the race.
Firmware signature validation bypass in WatchGuard Fireware OS lets an authenticated administrator upload a tampered firmware image through the backup/restore feature and have it installed despite failing integrity checks. Affecting Fireware OS branches 11.0 through 11.12.4_Update1, 12.0 through 12.12, and 2025.1 through 2025.6.2, the flaw (CWE-347) enables persistent malicious code on the appliance. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the high integrity/confidentiality/availability impact and the appliance's privileged network position make it significant.
Authenticated arbitrary code execution in WatchGuard Fireware OS (12.1-12.12 and 2025.1-2026.2) arises from an out-of-bounds write in the wgagent process, reachable when a privileged user sends specially crafted requests to the Management Web UI. A high-privilege attacker (or one who has compromised admin credentials) can corrupt memory to run code on the firewall appliance, undermining the security gateway itself. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.
Arbitrary code execution in WatchGuard Fireware OS (the firmware powering Firebox network security appliances) arises from an out-of-bounds write in the ikestubd process, reachable through the Management Web UI. An authenticated user holding privileged (administrative) access can send specially crafted requests to corrupt memory and execute code on the appliance. No public exploit identified at time of analysis and the issue is not listed in CISA KEV; risk is bounded by the requirement for existing privileged access.
Stored XSS in WatchGuard Fireware OS's SIP Proxy module enables a high-privileged attacker to plant persistent malicious JavaScript that executes in the browsers of other privileged users who access affected management interface pages. Covering Fireware OS versions 12.0 through 12.12, 12.5 through 12.5.18, and 2025.1 through 2026.2, this CVE is explicitly disclosed as an additional, previously unmitigated attack path for CVE-2025-6947 - meaning organizations that applied the prior patch may incorrectly believe their exposure is closed. No public exploit has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.
Stored XSS in WatchGuard Fireware OS's spamBlocker module enables a high-privileged attacker to persist malicious JavaScript that executes in the browsers of other authenticated users viewing the affected management interface. This vulnerability is explicitly identified as an additional, unmitigated attack path bypassing the remediation applied for CVE-2025-1071, indicating the original fix was incomplete. The CVSS 4.0 vector scores this at 4.8 (Medium), with no confirmed active exploitation and no public exploit identified at time of analysis.
Stored cross-site scripting in WatchGuard Fireware OS's Autotask Technology Integration module allows a high-privileged attacker to inject persistent malicious scripts that execute in the browsers of other users who view the affected management interface pages. Affecting Fireware OS versions 12.4 through 12.12, 12.5 through 12.5.18, and 2025.1 through 2026.2, this flaw is explicitly described as an additional unmitigated attack path alongside the related CVE-2025-13938, suggesting prior remediation efforts were incomplete. No public exploit code or confirmed active exploitation has been identified at time of analysis.
Stored cross-site scripting in WatchGuard Fireware OS via the ConnectWise Technology Integration module allows a highly privileged attacker to inject persistent malicious scripts into the web management interface, which then execute in the browsers of other authenticated users who view the affected pages. This vulnerability is explicitly described as an additional, previously unmitigated attack path for CVE-2025-13937, indicating that the prior remediation was incomplete and a bypass exists. No public exploit code or CISA KEV listing has been identified at time of analysis, but the relationship to an earlier CVE suggests at least some organizational knowledge of the attack surface.
Stored XSS in WatchGuard Fireware OS's Tigerpaw Technology Integration module allows a high-privileged attacker to persist malicious scripts within the management interface, which then execute in the browsers of other authenticated users who visit the affected pages. Critically, this CVE is identified as an additional unmitigated attack path for CVE-2025-13936, indicating an incomplete remediation of a prior related XSS flaw in the same integration module. Affected versions span the 12.4, 12.5, and 2025.x/2026.x release trains; no public exploit or CISA KEV listing has been identified at time of analysis.
Local privilege escalation in WatchGuard Agent for Windows allows authenticated users to execute arbitrary code with elevated system privileges through DLL hijacking. The agent searches for dependencies in user-controllable directories, enabling attackers with standard user credentials to plant malicious DLLs that load when the service starts. WatchGuard has released version 1.25.03.0000 to address this uncontrolled search path vulnerability (CWE-427).
Hard-coded cryptographic key in WatchGuard Agent for Windows enables local authenticated attackers to inject malicious code into existing agent processes, achieving high-impact confidentiality, integrity, and availability compromise. WatchGuard Agent versions prior to 1.25.03.0000 are affected. CVSS v4.0 score of 8.5 reflects local attack vector with low complexity and low privilege requirements, though no active exploitation (KEV) or public POC has been identified at time of analysis. The vulnerability's CWE-321 classification indicates embedded cryptographic material that could be extracted and reused for process injection attacks.
Privilege escalation in WatchGuard Agent for Windows allows authenticated local users to gain NT AUTHORITY\SYSTEM privileges via incorrect permissions in the patch management component. CVSS 7.3 with low attack complexity and local attack vector. No active exploitation or public exploit code identified at time of analysis. EPSS data not available - real-world risk depends on defender endpoint deployment environments where local user access is already established.
Stack-based buffer overflow in WatchGuard Agent discovery service on Windows enables adjacent attackers without authentication to crash the agent via crafted network packets. CVSS 7.1 (High) reflects adjacent network attack vector with high integrity impact. The vulnerability targets the discovery service component used for agent enrollment and network communication. No CISA KEV listing or public exploit code identified at time of analysis, though the local network attack vector limits exposure to adjacent attackers.
Stack-based buffer overflow in WatchGuard Agent's discovery service allows adjacent network attackers to crash the agent service without authentication. Affects Windows installations prior to version 1.25.03.0000. Vendor patch released addressing the vulnerability. SSVC framework indicates no active exploitation observed and manual exploitation required. While CVSS 7.1 (High) reflects network-adjacent access with high availability impact, actual risk is limited to denial-of-service - no code execution or data compromise possible per the CVSS vector (VC:N/VI:N/VA:H).
Improper Privilege Management vulnerability in WatchGuard EPDR, Panda AD360 and Panda Dome on Windows (PSANHost.exe module) allows arbitrary file delete with SYSTEM permissions.00.23.0000; Panda. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Improper Handling of Exceptional Conditions vulnerability in the WatchGuard Single Sign-On Client on Windows causes the client to crash while handling malformed commands. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Incorrect Authorization vulnerability in WatchGuard Authentication Gateway (aka Single Sign-On Agent) on Windows allows an attacker with network access to execute restricted management commands.10.2. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Incorrect Authorization vulnerability in the protocol communication between the WatchGuard Authentication Gateway (aka Single Sign-On Agent) on Windows and the WatchGuard Single Sign-On Client on. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A buffer overflow in WatchGuard Fireware OS could may allow an authenticated remote attacker with privileged management access to execute arbitrary code with system privileges on the firewall.9.6. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A local privilege escalation vlnerability in the WatchGuard Mobile VPN with SSL client on Windows enables a local user to execute arbitrary commands with elevated privileged. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in WatchGuard AuthPoint Password Manager on MacOS allows an a adversary with local access to execute. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
An issue was discovered in WatchGuard EPDR 8.0.21.0002. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
An issue was discovered in WatchGuard EPDR 8.0.21.0002. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
An issue was discovered in WatchGuard EPDR 8.0.21.0002. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
An issue was discovered in WatchGuard EPDR 8.0.21.0002. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
A stored cross-site scripting (XSS) vulnerability exists in the management web interface of WatchGuard Firebox and XTM appliances. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
WatchGuard Firebox and XTM appliances allow a local attacker (that has already obtained shell access) to elevate their privileges and execute code with root permissions. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
An integer overflow in WatchGuard Firebox and XTM appliances allows an unauthenticated remote attacker to trigger a buffer overflow and potentially execute arbitrary code by sending a malicious. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
WatchGuard Firebox and XTM appliances allow an unauthenticated remote attacker to retrieve sensitive authentication server settings by sending a malicious request to exposed authentication endpoints. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WatchGuard Firebox and XTM appliances allow an unauthenticated remote attacker to delete arbitrary files from a limited set of directories on the system. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
On WatchGuard Firebox and XTM appliances, an unauthenticated user can execute arbitrary code, aka FBX-22786. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WatchGuard Firebox and XTM appliances allow an authenticated remote attacker with unprivileged credentials to modify privileged management user credentials. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
WatchGuard Firebox and XTM appliances allow an authenticated remote attacker with unprivileged credentials to upload files to arbitrary locations. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A systemd stack-based buffer overflow in WatchGuard Firebox and XTM appliances allows an authenticated remote attacker to potentially execute arbitrary code by initiating a firmware update with a. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A wgagent stack-based buffer overflow in WatchGuard Firebox and XTM appliances allows an authenticated remote attacker to potentially execute arbitrary code by initiating a firmware update with a. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An integer overflow in WatchGuard Firebox and XTM appliances allows an authenticated remote attacker to trigger a heap-based buffer overflow and potentially execute arbitrary code by initiating a. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
WatchGuard Firebox and XTM appliances allow an authenticated remote attacker with unprivileged credentials to retrieve certificate private keys. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Nagios XI WatchGuard Wizard before version 1.4.8 is vulnerable to remote code execution through Improper neutralisation of special elements used in an OS Command (OS Command injection). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The AD Helper component in WatchGuard Fireware before 5.8.5.10317 allows remote attackers to discover cleartext passwords via the /domains/list URI. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15, and AP300 devices with firmware before 2.0.0.10. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15, and AP300 devices with firmware before 2.0.0.10. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An FBX-5312 issue was discovered in WatchGuard Fireware before 12.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An FBX-5313 issue was discovered in WatchGuard Fireware before 12.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WatchGuard Fireware v11.12.1 and earlier mishandles requests referring to an XML External Entity (XXE), in the XML-RPC agent. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 11.4%.
WatchGuard Fireware allows user enumeration, e.g., in the Firebox XML-RPC login handler. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WatchGuard RapidStream appliances allow local users to gain privileges and execute arbitrary commands via a crafted ifconfig command, aka ESCALATEPLOWMAN. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Watchguard XCS 9.2 and 10.0 before build 150522 allow remote authenticated users to execute arbitrary commands via shell metacharacters in the id parameter to ADMIN/mailqueue.spl. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 72.5%.
SQL injection vulnerability in Watchguard XCS 9.2 and 10.0 before build 150522 allows remote attackers to execute arbitrary SQL commands via the sid cookie, as demonstrated by a request to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 36.7%.
Multiple cross-site scripting (XSS) vulnerabilities in the firewall policy management pages in WatchGuard Fireware XTM before 11.8.3 allow remote attackers to inject arbitrary web script or HTML via. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.