VYPR
patchPublished Jul 3, 2026· 1 source

Multiple WatchGuard Firebox OS Vulnerabilities Enable Arbitrary Code Execution

Three high-severity vulnerabilities in WatchGuard Firebox OS allow authenticated attackers to achieve arbitrary code execution and file writes via management interfaces.

WatchGuard has disclosed three high-severity vulnerabilities impacting its Firebox firewall appliances running Fireware OS. These flaws, collectively tracked as CVE-2026-13053, CVE-2026-13050, and CVE-2026-13054, each carry a CVSS v4.0 score of 8.6 and enable authenticated attackers to execute arbitrary code or write arbitrary files on the affected devices. The vulnerabilities require administrator credentials and are exploitable through the device's management Command Line Interface (CLI) and Web UI.

CVE-2026-13053, also known as WGSA-2026-00030, is an out-of-bounds write vulnerability within the Fireware OS CLI command handler. A privileged, authenticated user can exploit this flaw by sending a specially crafted CLI command to achieve arbitrary code execution. This allows an attacker with existing administrative access to gain deeper control over the appliance.

Similarly, CVE-2026-13050 (WGSA-2026-00029) is an out-of-bounds write vulnerability residing in the 'networkd' process. Attackers can exploit this through crafted requests sent to the Management Web UI. Successful exploitation grants a privileged administrator the ability to execute arbitrary code on the Firebox appliance, compromising its integrity and security functions.

The third vulnerability, CVE-2026-13054 (WGSA-2026-00028), is a path traversal flaw affecting the Management Web UI. This vulnerability allows a logged-in attacker to write arbitrary files to any location on the Firebox filesystem. This capability can be chained with other exploits or used to overwrite critical system files, such as startup scripts or configuration files, leading to persistent compromise or arbitrary code execution.

WatchGuard confirms that these vulnerabilities affect a broad range of Fireware OS versions, including 11.0 through 11.12.4_Update1, 12.0 through 12.12, 12.5 through 12.5.18, and 2025.1 through 2026.2. Notably, legacy 11.x releases are considered end-of-life and will not receive patches, necessitating an upgrade to supported firmware branches. For specific small-form models like the T15 and T35, the 12.5.x line remains unresolved, further emphasizing the need for migration off deprecated platforms.

Given that these are post-authentication vulnerabilities, threat actors must first obtain administrator credentials. This could be achieved through credential theft, insider threats, or by pivoting from a compromised management workstation. Once authenticated, an attacker could leverage these flaws to install backdoors, modify firewall rules, exfiltrate sensitive data like VPN secrets, or establish persistent access.

WatchGuard has addressed these issues by releasing patched firmware versions: Fireware OS 2026.2.1 and 12.12.1. Customers running 2025.1 are advised to upgrade to 2026.2.1, while those on 12.x versions must update to at least 12.12.1. For users on end-of-life 11.x versions, a migration to a supported branch is mandatory. WatchGuard does not provide any workarounds, making timely patching the primary remediation strategy.

Until patching is complete, organizations should implement compensating controls. These include strictly limiting access to Firebox management interfaces, enforcing multi-factor authentication (MFA) for all administrative accounts, and diligently monitoring administrative-level activity for any unusual CLI or Web UI operations. These measures can help detect and deter exploitation attempts.

Synthesized by Vypr AI