Overview
WatchGuard Firebox and XTM appliances contain a critical remote code execution vulnerability in Fireware OS that allows unauthenticated attackers to execute arbitrary commands without authentication. This vulnerability was actively exploited in the wild and represents a critical threat to network perimeter security. The vulnerability was disclosed on March 4, 2022. CISA has identified CVE-2022-26318 as being exploited but is not currently known to be used in ransomware campaigns.
Technical details
WatchGuard Firebox and XTM appliances are vulnerable to unauthenticated remote code execution due to improper input validation in Fireware OS. An attacker can execute arbitrary commands on the affected appliances without requiring authentication by sending specially crafted requests to exposed management interfaces. The vulnerability stems from insufficient input sanitization in network management protocols, allowing command injection attacks.
The vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) andCWE-20 (Improper Input Validation) .
The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its critical nature.
Impact
Complete compromise of affected WatchGuard appliances. Attackers can execute arbitrary commands with the privileges of the management service, potentially leading to: unauthorized access to firewall configurations, network traffic manipulation, deployment of persistent backdoors, lateral movement into protected networks, denial of service, and exfiltration of sensitive data. Given that these are perimeter security devices, compromise could give attackers full control over an organization's network gateway.
Mitigation and workarounds
WatchGuard released emergency patches to address this vulnerability. Users should immediately update to the following versions: (1) Fireware OS 12.8.1 for devices on the 12.8 branch, (2) Fireware OS 12.9.1 for devices on the 12.9 branch, (3) For legacy/unsupported versions, WatchGuard recommends upgrading to a currently supported release. Patching should be prioritized as this is an unauthenticated RCE vulnerability being actively exploited in the wild. The following versions include the necessary fixes: Fireware OS 12.8.1, Fireware OS 12.9.1, Fireware OS 12.10.x and later.
As temporary workarounds: restrict network access to the watchguard management interface (ports 8080/tcp and 8443/tcp) to trusted ip addresses/networks using external firewalls or network segmentation; disable remote management access if not required; disable http management interface in favor of https-only access; deploy watchguard appliances behind an additional external firewall that filters management interface traffic, and implement network segmentation to isolate affected watchguard appliances from untrusted networks while patches are prepared.
CISA's recommendation: Apply updates per vendor instructions.
Additional resources
Source: This report was generated using AI
