SB2026070353 - Multiple vulnerabilities in Fireware OS
Published: July 3, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 17 vulnerabilities.
1) Out-of-bounds write (CVE-ID: CVE-2026-8247)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to out-of-bounds write in the admd component when handling adjacent network requests. A remote attacker can send a specially crafted request to execute arbitrary code.
2) Improper privilege management (CVE-ID: CVE-2026-13079)
CWE-ID: CWE-269 - Improper Privilege Management
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to improper privilege management in the WatchGuard Mobile VPN with SSL client for Windows when the client is installed on a Windows machine. A local user can exploit the client to escalate privileges.
Successful exploitation can result in privileges being elevated to NT AUTHORITY\SYSTEM.
3) Path traversal (CVE-ID: CVE-2026-13054)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to write arbitrary files.
The vulnerability exists due to path traversal in the management web ui when handling crafted file path input. A remote privileged user can send a specially crafted request to write arbitrary files.
4) Out-of-bounds write (CVE-ID: CVE-2026-13050)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to out-of-bounds write in the networkd process when handling specially crafted requests to the Management Web UI. A remote privileged user can send specially crafted requests to execute arbitrary code.
5) Out-of-bounds write (CVE-ID: CVE-2026-13053)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to out-of-bounds write in the management CLI command handler when processing a specially crafted CLI command. A remote privileged user can send a specially crafted CLI command to execute arbitrary code.
6) Cross-site scripting (CVE-ID: CVE-2026-13377)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to inject arbitrary script code into generated web pages.
The vulnerability exists due to cross-site scripting in the SIP Proxy module when generating web pages from stored configuration input. A remote privileged user can inject a specially crafted payload to inject arbitrary script code into generated web pages.
This issue is described as an additional unmitigated attack path for CVE-2025-6947.
7) Cross-site scripting (CVE-ID: CVE-2026-13376)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to perform stored cross-site scripting.
The vulnerability exists due to cross-site scripting in the spamBlocker module when generating web pages with stored input. A remote privileged user can inject a specially crafted payload to perform stored cross-site scripting.
User interaction is required to trigger the malicious content.
8) Cross-site scripting (CVE-ID: CVE-2026-13375)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to inject arbitrary script code.
The vulnerability exists due to cross-site scripting in the Autotask Technology Integration module when generating web pages with stored input. A remote privileged user can submit specially crafted input to inject arbitrary script code.
User interaction is required to trigger the stored payload.
9) Cross-site scripting (CVE-ID: CVE-2026-13374)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to perform stored cross-site scripting.
The vulnerability exists due to cross-site scripting in the ConnectWise Technology Integration module when generating web pages with user-supplied input. A remote privileged user can inject a crafted payload to perform stored cross-site scripting.
This issue is described as an additional unmitigated attack path for CVE-2025-13937.
10) Cross-site scripting (CVE-ID: CVE-2026-13373)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to inject arbitrary script code.
The vulnerability exists due to cross-site scripting in the Tigerpaw Technology Integration module when generating web pages with stored input. A remote privileged user can submit specially crafted input to inject arbitrary script code.
User interaction is required to trigger the stored payload.
11) Deserialization of Untrusted Data (CVE-ID: CVE-2026-13371)
CWE-ID: CWE-502 - Deserialization of Untrusted Data
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to unsafe deserialization in the put_data endpoint when handling attacker-supplied input. A remote privileged user can send malformed or crafted data to cause a denial of service.
12) Out-of-bounds write (CVE-ID: CVE-2026-13383)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to out-of-bounds write in the ikestubd process when handling specially crafted requests to the Management Web UI. A remote privileged user can send specially crafted requests to execute arbitrary code.
13) Out-of-bounds write (CVE-ID: CVE-2026-13384)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to out-of-bounds write in the wgagent process when handling specially crafted requests to the Management Web UI. A remote privileged user can send specially crafted requests to execute arbitrary code.
14) Improper validation of integrity check value (CVE-ID: CVE-2026-13722)
CWE-ID: CWE-354 - Improper Validation of Integrity Check Value
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to install a tampered firmware image.
The vulnerability exists due to improper integrity check in the backup/restore feature when processing a backup image. A remote privileged user can submit a tampered backup image to install a tampered firmware image.
15) Use-after-free (CVE-ID: CVE-2026-13368)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to use-after-free in LDAP authentication for the Mobile User VPN with IKEv2 when handling authentication requests. A remote attacker can send crafted authentication traffic to execute arbitrary code.
Only Fireboxes configured to use an external LDAP authentication server for Mobile VPN with IKEv2 are vulnerable.
16) NULL pointer dereference (CVE-ID: CVE-2026-13084)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a null pointer dereference in the iked service when handling specially crafted IKEv2 messages. A remote attacker can send specially crafted IKEv2 messages to cause a denial of service.
The issue affects Mobile User VPN with IKEv2 and Branch Office VPN using IKEv2 when configured with a dynamic gateway peer.
17) Use of Hard-coded Cryptographic Key (CVE-ID: CVE-2026-13728)
CWE-ID: CWE-321 - Use of Hard-coded Cryptographic Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to use of a hard-coded encryption key in the Access Portal resource credential database when encrypting saved credentials for Access Portal resources. A remote privileged user can access credentials encrypted with the fallback key to disclose sensitive information.
Only FireCluster deployments are affected, and devices that do not support the Access Portal feature or standalone Fireboxes not deployed in a FireCluster are not vulnerable.
Remediation
Install update from vendor's website.
References
- https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00026
- https://www.watchguard.com/wgrd-psirt/advisories
- https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00027
- https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00028
- https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00029
- https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00030
- https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00019
- https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00018
- https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00017
- https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00016
- https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00015
- https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00014
- https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00020
- https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00021
- https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00022
- https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00023
- https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00024
- https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00025