Multiple WatchGuard Firebox OS Vulnerabilities Enable Arbitrary Code Execution Attacks

Multiple WatchGuard Firebox OS Vulnerabilities Enable Arbitrary Code Execution Attacks










Multiple high‑severity vulnerabilities in WatchGuard Firebox devices running Fireware OS could let authenticated attackers execute arbitrary code and take full control of affected appliances.

WatchGuard has disclosed three high‑impact vulnerabilities in Fireware OS affecting Firebox firewall appliances, all scored 8.6 under CVSS v4.0 and already patched in recent firmware releases.

Tracked as CVE‑2026‑13053, CVE‑2026‑13050, and CVE‑2026‑13054, the flaws enable arbitrary code execution and arbitrary file write when exploited by a logged‑in administrator through the management CLI and Web UI.

CVE‑2026‑13053 (WGSA‑2026‑00030) is an out‑of‑bounds write in the Fireware OS CLI command handler that allows a privileged authenticated user to execute arbitrary code via a specially crafted CLI command.

WatchGuard Firebox OS Vulnerabilities

CVE‑2026‑13050 (WGSA‑2026‑00029) is an out‑of‑bounds write in the networkd process, exploitable through crafted requests to the Management Web UI, again granting arbitrary code execution to a privileged admin.

CVE‑2026‑13054 (WGSA‑2026‑00028) is a path-traversal flaw in the Management Web UI that allows a logged‑in attacker to write arbitrary files anywhere on the Firebox filesystem, which can be chained into code execution by dropping or modifying startup scripts, binaries, or configuration files.

All three issues are marked “High” impact by WatchGuard and share the same CVSS v4.0 vector, reflecting low attack complexity but requiring high‑privileged credentials.

According to WatchGuard, all three vulnerabilities impact the same broad range of Fireware OS versions across hardware, virtual, and cloud Firebox deployments.

Fireware OS 11.0 through 11.12.4_Update1, 12.0 through 12.12, 12.5 through 12.5.18, and 2025.1 through 2026.2 are affected.

Legacy 11.x releases are listed as end‑of‑life, meaning customers still on those builds will not receive fixes and must upgrade to supported branches.

For the small‑form T15 and T35 models, the advisories note that the 12.5.x line remains “Unresolved,” underscoring the need to migrate off deprecated platforms where possible.

Because these are post‑authentication flaws, threat actors must first compromise administrator credentials, pivot from a management workstation, or abuse insider access.

Once authenticated, an attacker could use the CLI out‑of‑bounds write to run arbitrary code as a high‑privilege process, install backdoors, alter firewall rules, or exfiltrate configuration and VPN secrets.

Through the networkd vulnerability, a malicious admin can weaponize Web UI requests to achieve the same level of code execution via the management plane.

The path traversal arbitrary file write further expands attack options by allowing overwrites of critical system files, cron jobs, or boot scripts, making persistence straightforward and hard to detect.

WatchGuard has released Fireware OS 2026.2.1 and 12.12.1 as the primary fixed versions for these vulnerabilities.

Customers on 2025.1 should upgrade to 2026.2.1, while those on 12.x must move to at least 12.12.1; 11.x deployments require a migration path since they are end‑of‑life.

The vendor does not list any workaround for the three issues, so patching remains the only effective remediation.

As a compensating control until upgrades are complete, organizations should strictly limit access to the Firebox management interfaces, enforce MFA for admin accounts, and closely monitor admin‑level activity for unusual CLI or Web UI operations.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.

The post Multiple WatchGuard Firebox OS Vulnerabilities Enable Arbitrary Code Execution Attacks appeared first on Cyber Security News.






Abinaya





Go to cyber-security-news





by