Security Advisories

WatchGuard Firebox iked Out of Bounds Write Vulnerability

WatchGuard — Wed, 17 Sep 2025 07:20:10 +0000

WatchGuard Firebox iked Out of Bounds Write Vulnerability

Advisory ID

WGSA-2025-00015

WatchGuard Wed, 09/17/2025 - 00:20

CVE

CVE-2025-9242

Impact

Critical

Status

Resolved

Product Family

Firebox

Published Date

2025-09-17

Updated Date

2025-09-19

Workaround Available

True

CVSS Score

9.3

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

An Out-of-bounds Write vulnerability in the WatchGuard Fireware OS iked process may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer.
If the Firebox was previously configured with the mobile user VPN with IKEv2 or a branch office VPN using IKEv2 to a dynamic gateway peer, and both of those configurations have since been deleted, that Firebox may still be vulnerable if a branch office VPN to a static gateway peer is still configured.

Affected

This vulnerability affects Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3 and 2025.1.

Resolution

Vulnerable Version	Resolved Version
2025.1	2025.1.1
12.x	12.11.4
12.5.x (T15 & T35 models)	12.5.13
12.3.1 (FIPS-certified release)	12.3.1_Update3 (B722811)
11.x	End of Life

Workaround

If your Firebox is only configured with Branch Office VPN tunnels to static gateway peers and you are not able to immediately upgrade the device to a version of Fireware OS with the vulnerability resolution, you can follow WatchGuard’s recommendations for Secure Access to Branch Office VPNs that Use IPSec and IKEv2 as a temporary workaround.

Credits

btaol

Advisory Product List

Product Family	Product Branch	Product List
Firebox	Fireware OS 12.5.x	T15, T35
Firebox	Fireware OS 12.x	T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV
Firebox	Fireware OS 2025.1.x	T115-W, T125, T125-W, T145, T145-W, T185

Pre-authentication Denial of Service attack in OpenSSH

WatchGuard — Thu, 10 Jul 2025 19:00:41 +0000

Pre-authentication Denial of Service attack in OpenSSH

Advisory ID

WGSA-2025-00009

WatchGuard Thu, 07/10/2025 - 12:00

CVE

CVE-2025-26466

Impact

Medium

Status

Resolved

Product Family

Dimension, Firebox, Secure Wi-Fi

Published Date

2025-07-10

Updated Date

2025-07-10

Workaround Available

False

CVSS Score

5.9

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

A flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server/client key exchange has finished. A malicious client may keep sending such packages, leading to an uncontrolled increase in memory consumption on the server side. Consequently, the server may become unavailable, resulting in a denial of service attack.

Affected

Product	Version	Status
Fireware OS	12.x	Resolved
Dimension	All	Not Affected
Secure Wi-Fi	All	Not Affected

Resolution

Product	Resolution
Fireware OS	12.11.3

References

https://nvd.nist.gov/vuln/detail/CVE-2025-26466

Advisory Product List

Product Family	Product Branch	Product List
Dimension	Dimension	Dimension
Firebox	Fireware OS 12.5.x	T15, T35
Firebox	Fireware OS 12.x	T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV
Secure Wi-Fi	Wi-Fi 6	AP130, AP330, AP332CR, AP430CR, AP432
Secure Wi-Fi	Wi-Fi 4 & 5	AP125, AP225W, AP325, AP327X, AP420

WatchGuard Firebox Authenticated Stack Overflow in Certificate Request Command

WatchGuard — Thu, 10 Jul 2025 19:00:41 +0000

WatchGuard Firebox Authenticated Stack Overflow in Certificate Request Command

Advisory ID

WGSA-2025-00013

WatchGuard Thu, 07/10/2025 - 12:00

CVE

CVE-2025-1547

Impact

High

Status

Resolved

Product Family

Firebox

Published Date

2025-07-10

Updated Date

2025-09-19

Workaround Available

False

CVSS Score

7.5

CVSS Vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

Updated September 17 2025: Updated to add Fireware OS 12.5.13 as a resolved release
A stack-based buffer overflow vulnerability [CWE-121] in WatchGuard Fireware OS's certificate request command could allow an authenticated privileged user to execute arbitrary code via specially crafted CLI commands.

Affected

This issue affects Fireware OS: from 12.0 up to and including 12.11.2.

Resolution

Vulnerable Version	Resolved Version
12.x	12.11.3
12.5.x (T15 & T35 models)	12.5.13

Workaround

WatchGuard Firebox administrators should never expose management interfaces, including the command line interface, to untrusted networks. Follow WatchGuard's Firebox Remote Management Best Practices for additional guidance.

Credits

Cody Sixteen

Advisory Product List

Product Family	Product Branch	Product List
Firebox	Fireware OS 12.5.x	T15, T35
Firebox	Fireware OS 12.x	T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV

WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in SIP Proxy Configuration

WatchGuard — Thu, 10 Jul 2025 19:00:41 +0000

WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in SIP Proxy Configuration

Advisory ID

WGSA-2025-00012

WatchGuard Thu, 07/10/2025 - 12:00

CVE

CVE-2025-6947

Impact

Medium

Status

Resolved

Product Family

Firebox

Published Date

2025-07-10

Updated Date

2025-09-19

Workaround Available

False

CVSS Score

4.8

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Summary

Updated September 17 2025: Updated to add Fireware OS 12.5.13 as a resolved release
A stored cross-site scripting (XSS) vulnerability exists in the management interface of WatchGuard Firebox appliances via the SIP Proxy configuration. An authenticated remote attacker with administrator privileges could exploit this vulnerability to execute arbitrary JavaScript code in the Firebox management interface of another management user.

Affected

This issue affects Fireware OS: from 12.0 up to and including 12.11.2.

Resolution

Vulnerable Version	Resolved Version
12.x	12.11.3
12.5.x (T15 & T35 models)	12.5.13

Advisory Product List

Product Family	Product Branch	Product List
Firebox	Fireware OS 12.5.x	T15, T35
Firebox	Fireware OS 12.x	T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV

WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in IPS Configuration

WatchGuard — Thu, 10 Jul 2025 19:00:41 +0000

WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in IPS Configuration

Advisory ID

WGSA-2025-00011

WatchGuard Thu, 07/10/2025 - 12:00

CVE

CVE-2025-6946

Impact

Medium

Status

Resolved

Product Family

Firebox

Published Date

2025-07-10

Updated Date

2025-09-19

Workaround Available

False

CVSS Score

4.8

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Summary

Updated September 17 2025: Updated to add Fireware OS 12.5.13 as a resolved release
A stored cross-site scripting (XSS) vulnerability exists in the management interface of WatchGuard Firebox appliances via the IPS configuration. An authenticated remote attacker with administrator privileges could exploit this vulnerability to execute arbitrary JavaScript code in the Firebox management interface of another management user.

Affected

This issue affects Fireware OS: from 12.0 up to and including 12.11.2.

Resolution

Vulnerable Version	Resolved Version
12.x	12.11.3
12.5.x (T15 & T35 models)	12.5.13

Advisory Product List

Product Family	Product Branch	Product List
Firebox	Fireware OS 12.5.x	T15, T35
Firebox	Fireware OS 12.x	T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV

WatchGuard Firebox Authentication Portal Request Smuggling Vulnerability

WatchGuard — Thu, 10 Jul 2025 19:00:41 +0000

WatchGuard Firebox Authentication Portal Request Smuggling Vulnerability

Advisory ID

WGSA-2025-00014

WatchGuard Thu, 07/10/2025 - 12:00

CVE

CVE-2025-6999

Impact

Medium

Status

Resolved

Product Family

Firebox

Published Date

2025-07-10

Updated Date

2025-09-19

Workaround Available

False

CVSS Score

6.9

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Summary

An HTTP Request Smuggling [CWE-444] vulnerability in the Authentication portal of WatchGuard Fireware OS allows a remote attacker to evade request parameter sanitation and perform a reflected self-Cross-Site Scripting (XSS) attack.
WatchGuard does not believe there is a practical exploit chain with a meaningful impact for this vulnerability.

Affected

This issue affects Fireware OS: from 12.0 up to and including 12.11.2.

Resolution

Resolved in Fireware OS 12.11.3.

Advisory Product List

Product Family	Product Branch	Product List
Firebox	Fireware OS 12.5.x	T15, T35
Firebox	Fireware OS 12.x	T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV

WatchGuard Firebox Leftover Debug Code Vulnerability

WatchGuard — Thu, 10 Jul 2025 19:00:41 +0000

WatchGuard Firebox Leftover Debug Code Vulnerability

Advisory ID

WGSA-2025-00010

WatchGuard Thu, 07/10/2025 - 12:00

CVE

CVE-2025-4106

Impact

High

Status

Resolved

Product Family

Firebox

Published Date

2025-07-10

Updated Date

2025-09-19

Workaround Available

False

CVSS Score

8.9

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Summary

Updated September 17 2025: Updated to add Fireware OS 12.5.13 as a resolved release
An authenticated admin user with access to both the management WebUI and command line interface on a Firebox can enable a diagnostic debug shell by uploading a platform and version-specific diagnostic package and executing a leftover diagnostic command.

Affected

This issue affects Fireware OS: from 12.0 up to and including 12.11.2.

Resolution

Vulnerable Version	Resolved Version
12.x	12.11.3
12.5.x (T15 & T35 models)	12.5.13

Advisory Product List

Product Family	Product Branch	Product List
Firebox	Fireware OS 12.5.x	T15, T35
Firebox	Fireware OS 12.x	T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV

WatchGuard Mobile VPN with SSL Local Privilege Escalation

WatchGuard — Wed, 28 May 2025 14:50:09 +0000

WatchGuard Mobile VPN with SSL Local Privilege Escalation

Advisory ID

WGSA-2025-00008

WatchGuard Wed, 05/28/2025 - 07:50

CVE

CVE-2025-1910

Impact

High

Status

Resolved

Product Family

Other Software

Published Date

2025-05-28

Updated Date

2025-09-19

Workaround Available

False

CVSS Score

8.5

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

Updated 2024-06-03 to clarify the potential impact scope for this vulnerability.
The WatchGuard Mobile VPN with SSL Client on Windows allows a locally authenticated non-administrative Windows user to escalate their privileges to NT AUTHORITY/SYSTEM on the Windows machine where the VPN Client is installed.

Affected

This issue affects the Mobile VPN with SSL Client from 11.0 up to and including 12.11.2.

Resolution

Resolved in the Mobile VPN with SSL Client version 12.11.3.

Credits

AKASEC

Advisory Product List

Product Family	Product Branch	Product List
Other Software	SSL VPN	SSL VPN

WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in Hotspot Configuration

WatchGuard — Fri, 16 May 2025 19:00:34 +0000

WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in Hotspot Configuration

Advisory ID

WGSA-2025-00006

WatchGuard Fri, 05/16/2025 - 12:00

CVE

CVE-2025-4804

Impact

Medium

Status

Resolved

Product Family

Firebox

Published Date

2025-05-16

Updated Date

2025-09-19

Workaround Available

False

CVSS Score

4.8

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Summary

Updated September 17 2025: Updated to add Fireware OS 12.5.13 as a resolved release
A stored cross-site scripting (XSS) vulnerability exists in the management interface of WatchGuard Firebox appliances via the Hotspit configuration. An authenticated remote attacker with administrator privileges could exploit this vulnerability to execute arbitrary JavaScript code in the Firebox management interface of another management user.

Affected

This issue affects Fireware OS: from 12.0 up to and including 12.11.1.

Resolution

Vulnerable Version	Resolved Version
12.x	12.11.2
12.5.x (T15 & T35 models)	12.5.13

Advisory Product List

Product Family	Product Branch	Product List
Firebox	Fireware OS 12.5.x	T15, T35
Firebox	Fireware OS 12.x	T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV

WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in Access Portal Configuration

WatchGuard — Fri, 16 May 2025 19:50:13 +0000

WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in Access Portal Configuration

Advisory ID

WGSA-2025-00007

WatchGuard Fri, 05/16/2025 - 12:50

CVE

CVE-2025-4805

Impact

Medium

Status

Resolved

Product Family

Firebox

Published Date

2025-05-16

Updated Date

2025-09-19

Workaround Available

False

CVSS Score

4.8

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Summary

A stored cross-site scripting (XSS) vulnerability exists in the management interface of WatchGuard Firebox appliances via the Access Portal configuration. An authenticated remote attacker with administrator privileges could exploit this vulnerability to execute arbitrary JavaScript code in the Firebox management interface of another management user.

Affected

This issue affects Fireware OS: from 12.0 up to and including 12.11.1.

Resolution

Resolved in Fireware OS 12.11.2.

Credits

Simone Paganessi (https://www.linkedin.com/in/simonepaganessi)

Advisory Product List

Product Family	Product Branch	Product List
Firebox	Fireware OS 12.5.x	T15, T35
Firebox	Fireware OS 12.x	T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV