SB20251208134 - Multiple vulnerabilities in WatchGuard Fireware OS
Published: December 8, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 10 vulnerabilities.
1) Stored cross-site scripting (CVE-ID: CVE-2025-13939)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
2) Stored cross-site scripting (CVE-ID: CVE-2025-13938)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in Autotask Technology Integration Configuration. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
3) Stored cross-site scripting (CVE-ID: CVE-2025-13937)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in ConnectWise Technology Integration Configuration. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
4) Stored cross-site scripting (CVE-ID: CVE-2025-13936)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in Tigerpaw Technology Integration Configuration. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
5) Out-of-bounds write (CVE-ID: CVE-2025-12196)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to compromise vulnerable system.
The vulnerability exists due to a boundary error in Management CLI Ping Command. A remote user can trigger an out-of-bounds write and execute arbitrary code on the target system.
6) Out-of-bounds write (CVE-ID: CVE-2025-12195)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to compromise vulnerable system.
The vulnerability exists due to a boundary error in Management CLI IPSec Configuration. A remote user execute crafted IPSec configuration CLI commands to trigger an out-of-bounds write and execute arbitrary code on the target system.
7) Buffer overflow (CVE-ID: CVE-2025-11838)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a boundary error in the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2. A remote attacker can trigger memory corruption and perform a denial of service attack.
8) Out-of-bounds write (CVE-ID: CVE-2025-12026)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input passed via certd CLI. A remote privileged user can trigger an out-of-bounds write and execute arbitrary code on the target system.
9) XPath injection (CVE-ID: CVE-2025-1545)
CWE-ID: CWE-643 - Improper Neutralization of Data within XPath Expressions
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation in Web CGI. A remote non-authenticated attacker can send a specially crafted HTTP request to an exposed authentication or management web interface and retrieve sensitive information from the Firebox configuration.
10) Expected behavior violation (CVE-ID: CVE-2025-13940)
CWE-ID: CWE-440 - Expected Behavior Violation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to bypass implemented security restrictions.
The vulnerability exists due to violation of expected behavior. A local user can bypass the Fireware OS boot time system integrity check and prevent the Firebox from shutting down in the event of a system integrity check failure.
Remediation
Install update from vendor's website.
References
- https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00024
- https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00023
- https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00022
- https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00021
- https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00020
- https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00019
- https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00018
- https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00017
- https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00025
- https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00026