SB2026070353 - Multiple vulnerabilities in Fireware OS



SB2026070353 - Multiple vulnerabilities in Fireware OS

Published: July 3, 2026

Security Bulletin ID SB2026070353
CSH Severity
High
Patch available
YES
Number of vulnerabilities 17
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 12% Medium 6% Low 82%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 17 vulnerabilities.


1) Out-of-bounds write (CVE-ID: CVE-2026-8247)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to out-of-bounds write in the admd component when handling adjacent network requests. A remote attacker can send a specially crafted request to execute arbitrary code.


2) Improper privilege management (CVE-ID: CVE-2026-13079)

CWE-ID: CWE-269 - Improper Privilege Management

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to escalate privileges.

The vulnerability exists due to improper privilege management in the WatchGuard Mobile VPN with SSL client for Windows when the client is installed on a Windows machine. A local user can exploit the client to escalate privileges.

Successful exploitation can result in privileges being elevated to NT AUTHORITY\SYSTEM.


3) Path traversal (CVE-ID: CVE-2026-13054)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to write arbitrary files.

The vulnerability exists due to path traversal in the management web ui when handling crafted file path input. A remote privileged user can send a specially crafted request to write arbitrary files.


4) Out-of-bounds write (CVE-ID: CVE-2026-13050)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to out-of-bounds write in the networkd process when handling specially crafted requests to the Management Web UI. A remote privileged user can send specially crafted requests to execute arbitrary code.


5) Out-of-bounds write (CVE-ID: CVE-2026-13053)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to out-of-bounds write in the management CLI command handler when processing a specially crafted CLI command. A remote privileged user can send a specially crafted CLI command to execute arbitrary code.


6) Cross-site scripting (CVE-ID: CVE-2026-13377)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to inject arbitrary script code into generated web pages.

The vulnerability exists due to cross-site scripting in the SIP Proxy module when generating web pages from stored configuration input. A remote privileged user can inject a specially crafted payload to inject arbitrary script code into generated web pages.

This issue is described as an additional unmitigated attack path for CVE-2025-6947.


7) Cross-site scripting (CVE-ID: CVE-2026-13376)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to perform stored cross-site scripting.

The vulnerability exists due to cross-site scripting in the spamBlocker module when generating web pages with stored input. A remote privileged user can inject a specially crafted payload to perform stored cross-site scripting.

User interaction is required to trigger the malicious content.


8) Cross-site scripting (CVE-ID: CVE-2026-13375)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to inject arbitrary script code.

The vulnerability exists due to cross-site scripting in the Autotask Technology Integration module when generating web pages with stored input. A remote privileged user can submit specially crafted input to inject arbitrary script code.

User interaction is required to trigger the stored payload.


9) Cross-site scripting (CVE-ID: CVE-2026-13374)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to perform stored cross-site scripting.

The vulnerability exists due to cross-site scripting in the ConnectWise Technology Integration module when generating web pages with user-supplied input. A remote privileged user can inject a crafted payload to perform stored cross-site scripting.

This issue is described as an additional unmitigated attack path for CVE-2025-13937.


10) Cross-site scripting (CVE-ID: CVE-2026-13373)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to inject arbitrary script code.

The vulnerability exists due to cross-site scripting in the Tigerpaw Technology Integration module when generating web pages with stored input. A remote privileged user can submit specially crafted input to inject arbitrary script code.

User interaction is required to trigger the stored payload.


11) Deserialization of Untrusted Data (CVE-ID: CVE-2026-13371)

CWE-ID: CWE-502 - Deserialization of Untrusted Data

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to unsafe deserialization in the put_data endpoint when handling attacker-supplied input. A remote privileged user can send malformed or crafted data to cause a denial of service.


12) Out-of-bounds write (CVE-ID: CVE-2026-13383)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to out-of-bounds write in the ikestubd process when handling specially crafted requests to the Management Web UI. A remote privileged user can send specially crafted requests to execute arbitrary code.


13) Out-of-bounds write (CVE-ID: CVE-2026-13384)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to out-of-bounds write in the wgagent process when handling specially crafted requests to the Management Web UI. A remote privileged user can send specially crafted requests to execute arbitrary code.


14) Improper validation of integrity check value (CVE-ID: CVE-2026-13722)

CWE-ID: CWE-354 - Improper Validation of Integrity Check Value

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to install a tampered firmware image.

The vulnerability exists due to improper integrity check in the backup/restore feature when processing a backup image. A remote privileged user can submit a tampered backup image to install a tampered firmware image.


15) Use-after-free (CVE-ID: CVE-2026-13368)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to use-after-free in LDAP authentication for the Mobile User VPN with IKEv2 when handling authentication requests. A remote attacker can send crafted authentication traffic to execute arbitrary code.

Only Fireboxes configured to use an external LDAP authentication server for Mobile VPN with IKEv2 are vulnerable.


16) NULL pointer dereference (CVE-ID: CVE-2026-13084)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a null pointer dereference in the iked service when handling specially crafted IKEv2 messages. A remote attacker can send specially crafted IKEv2 messages to cause a denial of service.

The issue affects Mobile User VPN with IKEv2 and Branch Office VPN using IKEv2 when configured with a dynamic gateway peer.


17) Use of Hard-coded Cryptographic Key (CVE-ID: CVE-2026-13728)

CWE-ID: CWE-321 - Use of Hard-coded Cryptographic Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to use of a hard-coded encryption key in the Access Portal resource credential database when encrypting saved credentials for Access Portal resources. A remote privileged user can access credentials encrypted with the fallback key to disclose sensitive information.

Only FireCluster deployments are affected, and devices that do not support the Access Portal feature or standalone Fireboxes not deployed in a FireCluster are not vulnerable.


Remediation

Install update from vendor's website.