Security Advisories

WatchGuard Mobile VPN with SSL Local Privilege Escalation

WatchGuard — Wed, 29 Oct 2025 16:50:10 +0000

WatchGuard Mobile VPN with SSL Local Privilege Escalation

Advisory ID

WGSA-2025-00016

WatchGuard Wed, 10/29/2025 - 09:50

CVE

CVE-2025-1549

Impact

Medium

Status

Resolved

Product Family

Other Software

Published Date

2025-10-29

Updated Date

2025-11-07

Workaround Available

False

CVSS Score

6.3

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

Summary

A local privilege escalation vulnerability in the WatchGuard Mobile VPN with SSL client on Windows enables a local user to execute arbitrary commands with elevated privileges on the Windows system. This vulnerability is an additional unmitigated attack path for CVE-2024-4944.

Affected

WatchGuard Mobile VPN with SSL for Windows up to and including version 12.10.2

Resolution

WatchGuard Mobile VPN with SSL for Windows version 12.11.3

Credits

Defence Tech Malware Lab

Advisory Product List

Product Family	Product Branch	Product List
Other Software	SSL VPN	SSL VPN

WatchGuard Firebox iked Out of Bounds Write Vulnerability

WatchGuard — Wed, 17 Sep 2025 07:20:10 +0000

WatchGuard Firebox iked Out of Bounds Write Vulnerability

Advisory ID

WGSA-2025-00015

WatchGuard Wed, 09/17/2025 - 00:20

CVE

CVE-2025-9242

Impact

Critical

Status

Resolved

Product Family

Firebox

Published Date

2025-09-17

Updated Date

2025-11-07

Workaround Available

True

CVSS Score

9.3

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

Updated November 07 2025: Updated to correct an error in the logging level required for the IDi payload size IOA.
Updated October 21 2025: Updated to provide Indicators of Attack and additional remediation guidance due to potential active exploits in the wild.
An Out-of-bounds Write vulnerability in the WatchGuard Fireware OS iked process may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer.
If the Firebox was previously configured with the mobile user VPN with IKEv2 or a branch office VPN using IKEv2 to a dynamic gateway peer, and both of those configurations have since been deleted, that Firebox may still be vulnerable if a branch office VPN to a static gateway peer is still configured.

Updated October 21 2025

We have evidence that suggests this vulnerability is under active exploitation.

Indicators of Attack

We are providing the following Indicators of Attack (IoAs) to help device owners identify potential attempts to exploit this vulnerability against vulnerable Firebox appliances. These IoAs are only applicable on devices that lack the resolution described later in this advisory.

Abnormally large IKE_AUTH request IDi payload

With iked diagnostic logging set to the Info logging level, the iked process generates a log message when the Firebox receives an IKE_AUTH request message. An IKE_AUTH request log message with an abnormally large IDi payload size (greater than 100 bytes) is a strong indicator of an attack.
The following example diagnostic log shows an example IDi payload size of 300 bytes.
1970-01-01 01:00:00 iked (203.0.113.1<->203.0.113.2)"IKE_AUTH request" message has 6 payloads [ IDi(sz=300) CERT(sz=889) SA(sz=44) TSi(sz=24) TSr(sz=24) N(sz=8)]

IKE Process Hang

During a successful exploit, the IKED process (responsible for handling IPSec and IKE VPN traffic) will hang, interrupting VPN connections. This is a strong indicator of attack.

IKED Process Crash

After a failed or successful exploit, the IKED process will crash and generate a fault report on the Firebox. Be aware, there are other situations that could cause the IKED process to crash. This is a weak indicator of attack.

Affected

This vulnerability affects Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3 and 2025.1.

Resolution

Vulnerable Version	Resolved Version
2025.1	2025.1.1
12.x	12.11.4
12.5.x (T15 & T35 models)	12.5.13
12.3.1 (FIPS-certified release)	12.3.1_Update3 (B722811)
11.x	End of Life

Updated October 21 2025

As of this update, in addition to installing the latest Fireware OS release that contains the fix, administrators should take precautions to rotate all locally stored secrets on vulnerable Firebox appliances as described in our Best Practices to Rotate Shared Secrets Stored on the Firebox knowledge base article. This recommendation is out of an abundance of caution due to evidence that this vulnerability is under active exploitation.

Workaround

If your Firebox is only configured with Branch Office VPN tunnels to static gateway peers and you are not able to immediately upgrade the device to a version of Fireware OS with the vulnerability resolution, you can follow WatchGuard’s recommendations for Secure Access to Branch Office VPNs that Use IPSec and IKEv2 as a temporary workaround.

Credits

btaol

Advisory Product List

Product Family	Product Branch	Product List
Firebox	Fireware OS 12.5.x	T15, T35
Firebox	Fireware OS 12.x	T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV
Firebox	Fireware OS 2025.1.x	T115-W, T125, T125-W, T145, T145-W, T185

WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in SIP Proxy Configuration

WatchGuard — Thu, 10 Jul 2025 19:00:41 +0000

WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in SIP Proxy Configuration

Advisory ID

WGSA-2025-00012

WatchGuard Thu, 07/10/2025 - 12:00

CVE

CVE-2025-6947

Impact

Medium

Status

Resolved

Product Family

Firebox

Published Date

2025-07-10

Updated Date

2025-11-07

Workaround Available

False

CVSS Score

4.8

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Summary

Updated September 17 2025: Updated to add Fireware OS 12.5.13 as a resolved release
A stored cross-site scripting (XSS) vulnerability exists in the management interface of WatchGuard Firebox appliances via the SIP Proxy configuration. An authenticated remote attacker with administrator privileges could exploit this vulnerability to execute arbitrary JavaScript code in the Firebox management interface of another management user.

Affected

This issue affects Fireware OS: from 12.0 up to and including 12.11.2.

Resolution

Vulnerable Version	Resolved Version
12.x	12.11.3
12.5.x (T15 & T35 models)	12.5.13

Advisory Product List

Product Family	Product Branch	Product List
Firebox	Fireware OS 12.5.x	T15, T35
Firebox	Fireware OS 12.x	T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV

WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in IPS Configuration

WatchGuard — Thu, 10 Jul 2025 19:00:41 +0000

WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in IPS Configuration

Advisory ID

WGSA-2025-00011

WatchGuard Thu, 07/10/2025 - 12:00

CVE

CVE-2025-6946

Impact

Medium

Status

Resolved

Product Family

Firebox

Published Date

2025-07-10

Updated Date

2025-11-07

Workaround Available

False

CVSS Score

4.8

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Summary

Updated September 17 2025: Updated to add Fireware OS 12.5.13 as a resolved release
A stored cross-site scripting (XSS) vulnerability exists in the management interface of WatchGuard Firebox appliances via the IPS configuration. An authenticated remote attacker with administrator privileges could exploit this vulnerability to execute arbitrary JavaScript code in the Firebox management interface of another management user.

Affected

This issue affects Fireware OS: from 12.0 up to and including 12.11.2.

Resolution

Vulnerable Version	Resolved Version
12.x	12.11.3
12.5.x (T15 & T35 models)	12.5.13

Advisory Product List

Product Family	Product Branch	Product List
Firebox	Fireware OS 12.5.x	T15, T35
Firebox	Fireware OS 12.x	T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV

WatchGuard Firebox Authentication Portal Request Smuggling Vulnerability

WatchGuard — Thu, 10 Jul 2025 19:00:41 +0000

WatchGuard Firebox Authentication Portal Request Smuggling Vulnerability

Advisory ID

WGSA-2025-00014

WatchGuard Thu, 07/10/2025 - 12:00

CVE

CVE-2025-6999

Impact

Medium

Status

Resolved

Product Family

Firebox

Published Date

2025-07-10

Updated Date

2025-11-07

Workaround Available

False

CVSS Score

6.9

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Summary

An HTTP Request Smuggling [CWE-444] vulnerability in the Authentication portal of WatchGuard Fireware OS allows a remote attacker to evade request parameter sanitation and perform a reflected self-Cross-Site Scripting (XSS) attack.
WatchGuard does not believe there is a practical exploit chain with a meaningful impact for this vulnerability.

Affected

This issue affects Fireware OS: from 12.0 up to and including 12.11.2.

Resolution

Resolved in Fireware OS 12.11.3.

Advisory Product List

Product Family	Product Branch	Product List
Firebox	Fireware OS 12.5.x	T15, T35
Firebox	Fireware OS 12.x	T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV

WatchGuard Firebox Authenticated Stack Overflow in Certificate Request Command

WatchGuard — Thu, 10 Jul 2025 19:00:41 +0000

WatchGuard Firebox Authenticated Stack Overflow in Certificate Request Command

Advisory ID

WGSA-2025-00013

WatchGuard Thu, 07/10/2025 - 12:00

CVE

CVE-2025-1547

Impact

High

Status

Resolved

Product Family

Firebox

Published Date

2025-07-10

Updated Date

2025-11-07

Workaround Available

False

CVSS Score

7.5

CVSS Vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

Updated September 17 2025: Updated to add Fireware OS 12.5.13 as a resolved release
A stack-based buffer overflow vulnerability [CWE-121] in WatchGuard Fireware OS's certificate request command could allow an authenticated privileged user to execute arbitrary code via specially crafted CLI commands.

Affected

This issue affects Fireware OS: from 12.0 up to and including 12.11.2.

Resolution

Vulnerable Version	Resolved Version
12.x	12.11.3
12.5.x (T15 & T35 models)	12.5.13

Workaround

WatchGuard Firebox administrators should never expose management interfaces, including the command line interface, to untrusted networks. Follow WatchGuard's Firebox Remote Management Best Practices for additional guidance.

Credits

Cody Sixteen

Advisory Product List

Product Family	Product Branch	Product List
Firebox	Fireware OS 12.5.x	T15, T35
Firebox	Fireware OS 12.x	T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV

WatchGuard Firebox Leftover Debug Code Vulnerability

WatchGuard — Thu, 10 Jul 2025 19:00:41 +0000

WatchGuard Firebox Leftover Debug Code Vulnerability

Advisory ID

WGSA-2025-00010

WatchGuard Thu, 07/10/2025 - 12:00

CVE

CVE-2025-4106

Impact

High

Status

Resolved

Product Family

Firebox

Published Date

2025-07-10

Updated Date

2025-11-07

Workaround Available

False

CVSS Score

8.9

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Summary

Updated September 17 2025: Updated to add Fireware OS 12.5.13 as a resolved release
An authenticated admin user with access to both the management WebUI and command line interface on a Firebox can enable a diagnostic debug shell by uploading a platform and version-specific diagnostic package and executing a leftover diagnostic command.

Affected

This issue affects Fireware OS: from 12.0 up to and including 12.11.2.

Resolution

Vulnerable Version	Resolved Version
12.x	12.11.3
12.5.x (T15 & T35 models)	12.5.13

Advisory Product List

Product Family	Product Branch	Product List
Firebox	Fireware OS 12.5.x	T15, T35
Firebox	Fireware OS 12.x	T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV

Pre-authentication Denial of Service attack in OpenSSH

WatchGuard — Thu, 10 Jul 2025 19:00:41 +0000

Pre-authentication Denial of Service attack in OpenSSH

Advisory ID

WGSA-2025-00009

WatchGuard Thu, 07/10/2025 - 12:00

CVE

CVE-2025-26466

Impact

Medium

Status

Resolved

Product Family

Dimension, Firebox, Secure Wi-Fi

Published Date

2025-07-10

Updated Date

2025-07-10

Workaround Available

False

CVSS Score

5.9

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

A flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server/client key exchange has finished. A malicious client may keep sending such packages, leading to an uncontrolled increase in memory consumption on the server side. Consequently, the server may become unavailable, resulting in a denial of service attack.

Affected

Product	Version	Status
Fireware OS	12.x	Resolved
Dimension	All	Not Affected
Secure Wi-Fi	All	Not Affected

Resolution

Product	Resolution
Fireware OS	12.11.3

References

https://nvd.nist.gov/vuln/detail/CVE-2025-26466

Advisory Product List

Product Family	Product Branch	Product List
Dimension	Dimension	Dimension
Firebox	Fireware OS 12.5.x	T15, T35
Firebox	Fireware OS 12.x	T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV
Secure Wi-Fi	Wi-Fi 6	AP130, AP330, AP332CR, AP430CR, AP432
Secure Wi-Fi	Wi-Fi 4 & 5	AP125, AP225W, AP325, AP327X, AP420

WatchGuard Mobile VPN with SSL Local Privilege Escalation

WatchGuard — Wed, 28 May 2025 14:50:09 +0000

WatchGuard Mobile VPN with SSL Local Privilege Escalation

Advisory ID

WGSA-2025-00008

WatchGuard Wed, 05/28/2025 - 07:50

CVE

CVE-2025-1910

Impact

High

Status

Resolved

Product Family

Other Software

Published Date

2025-05-28

Updated Date

2025-11-07

Workaround Available

False

CVSS Score

8.5

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

Updated 2024-06-03 to clarify the potential impact scope for this vulnerability.
The WatchGuard Mobile VPN with SSL Client on Windows allows a locally authenticated non-administrative Windows user to escalate their privileges to NT AUTHORITY/SYSTEM on the Windows machine where the VPN Client is installed.

Affected

This issue affects the Mobile VPN with SSL Client from 11.0 up to and including 12.11.2.

Resolution

Resolved in the Mobile VPN with SSL Client version 12.11.3.

Credits

AKASEC

Advisory Product List

Product Family	Product Branch	Product List
Other Software	SSL VPN	SSL VPN

WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in Access Portal Configuration

WatchGuard — Fri, 16 May 2025 19:50:13 +0000

WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in Access Portal Configuration

Advisory ID

WGSA-2025-00007

WatchGuard Fri, 05/16/2025 - 12:50

CVE

CVE-2025-4805

Impact

Medium

Status

Resolved

Product Family

Firebox

Published Date

2025-05-16

Updated Date

2025-11-07

Workaround Available

False

CVSS Score

4.8

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Summary

A stored cross-site scripting (XSS) vulnerability exists in the management interface of WatchGuard Firebox appliances via the Access Portal configuration. An authenticated remote attacker with administrator privileges could exploit this vulnerability to execute arbitrary JavaScript code in the Firebox management interface of another management user.

Affected

This issue affects Fireware OS: from 12.0 up to and including 12.11.1.

Resolution

Resolved in Fireware OS 12.11.2.

Credits

Simone Paganessi (https://www.linkedin.com/in/simonepaganessi)

Advisory Product List

Product Family	Product Branch	Product List
Firebox	Fireware OS 12.5.x	T15, T35
Firebox	Fireware OS 12.x	T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV