Serious vulnerabilities have been identified in WatchGuard Firebox devices using Fireware OS, posing a risk of arbitrary code execution by authenticated attackers. These vulnerabilities could enable attackers to gain full control over the affected systems.
Details of the Vulnerabilities
WatchGuard has announced the existence of three critical vulnerabilities in Fireware OS that impact Firebox firewall devices. These vulnerabilities, rated at 8.6 on the CVSS v4.0 scale, have been addressed in recent firmware updates. The issues are identified as CVE-2026-13053, CVE-2026-13050, and CVE-2026-13054.
CVE-2026-13053 involves an out-of-bounds write in the Fireware OS CLI command handler, allowing a privileged user to execute arbitrary code through a specially crafted command. This is a significant threat as it grants extensive control over the device.
Impact and Exploitation
CVE-2026-13050 is another out-of-bounds write vulnerability, this time affecting the networkd process. It can be exploited via crafted requests to the Management Web UI, similarly enabling a privileged administrator to execute arbitrary code.
CVE-2026-13054 is a path traversal issue within the Management Web UI, permitting a logged-in attacker to write arbitrary files anywhere on the file system. This can lead to code execution by altering startup scripts or configuration files, providing persistent access.
These vulnerabilities require high privilege credentials for exploitation, making it necessary for attackers to first compromise administrator access. Once inside, they can manipulate the system significantly, posing a severe security threat.
Remediation and Recommendations
WatchGuard has released updates to patch these vulnerabilities, with Fireware OS versions 2026.2.1 and 12.12.1 being the primary fixes. Users on version 2025.1 should upgrade to 2026.2.1, while those using 12.x need to move to at least 12.12.1. Legacy 11.x versions are no longer supported, necessitating an upgrade to a supported version.
No workarounds are available apart from applying these patches. Organizations are advised to limit access to management interfaces, enforce multi-factor authentication for admin accounts, and monitor admin activities closely to detect any unusual operations.
These vulnerabilities highlight the importance of regular updates and vigilant management of network security devices to prevent unauthorized access and potential breaches.
