WatchGuard Fireware OS Vulnerable to IKEv2 Denial-of-Service Attack
A null pointer dereference vulnerability in WatchGuard Fireware OS's IKEv2 implementation allows unauthenticated remote attackers to cause a denial-of-service condition.

A critical vulnerability has been identified in WatchGuard's Fireware OS, specifically within its Internet Key Exchange version 2 (IKEv2) implementation. This flaw, tracked as CVE-2026-13084, allows unauthenticated remote attackers to trigger a denial-of-service (DoS) condition, potentially disrupting network connectivity for affected organizations.
The vulnerability stems from an improper handling of IKEv2 IKE_AUTH messages. The core issue lies in a null pointer dereference, a common programming error where a program attempts to access memory through a pointer that does not point to a valid object. In this context, an attacker can craft specific network packets to exploit this dereference, leading to the crash of the affected service or system.
Exploitation of this vulnerability does not require any form of authentication, making it accessible to a broad range of potential attackers. However, the vulnerability is limited to systems that are configured to use VPN services with the IKEv2 protocol. This means that while the attack vector is broad, its applicability is confined to specific network configurations.
The Common Vulnerability Scoring System (CVSS) has assigned this vulnerability a score of 5.9, categorizing it as medium severity. While not reaching the critical threshold, a successful DoS attack can still have significant operational and financial impacts, particularly for businesses relying heavily on secure VPN connections for remote access or site-to-site communication.
WatchGuard has acknowledged the vulnerability and has released a security update to address the issue. The company has provided a dedicated advisory, WGSA-2026-00024, detailing the affected versions and the steps required for remediation. Users are strongly advised to apply the available patches as soon as possible to mitigate the risk of exploitation.
The vulnerability was initially reported to WatchGuard by Nicholas Zubrisky of TrendAI Research on March 25, 2026. The Zero Day Initiative (ZDI) coordinated the public release of the advisory on July 15, 2026, following the vendor's successful patching of the flaw. This timeline reflects a standard responsible disclosure process, allowing vendors adequate time to develop and distribute fixes.
Organizations utilizing WatchGuard Fireware OS for their VPN infrastructure should prioritize updating their systems. The ease of exploitation and the potential for service disruption make this a significant concern for network security. Proactive patching remains the most effective defense against such vulnerabilities.