Firebox Unauthenticated Remote Code Execution Vulnerability
Advisory ID
WGSA-2022-00002
CVE
CVE-2022-26318
Impact
Critical
Status
Resolved
Product Family
Firebox
Published Date
Updated Date
Workaround Available
False
CVSS Score
9.8
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Updated September 5 2025: Updated to clarify Fireware OS 12.3.1 Update 2 (FIPS-certified release) resolves this issue
Null pointer dereference in WatchGuard Firebox and XTM appliances allows an unauthenticated remote attacker to potentially execute arbitrary code via exposed management access.
WatchGuard has evidence that adversaries are actively exploiting this vulnerability in the wild and urges all Firebox device administrators to update to the protected firmware release as quickly as possible. Additionally, Firebox device administrators should follow recommended best practices and restrict management access to trusted networks only.
Affected
This vulnerability affects Fireware OS 12.0 up to and including 12.7.2_Update1 (B652282 & B652363)
Resolution
| Vulnerable Version | Resolved Version |
|---|---|
| 12.x | 12.8 |
| 12.7.x | 12.7.2_Update2 (B655803) |
| 12.5.x (T15 & T35 models) | 12.5.9_Update2 (B655824 & B655924) |
| 12.3.1 (FIPS-certified release) | 12.3.1_Update2 (B675192) |
| 12.1.x (XTM 800, 1500, 2500 and XTMv models) | 12.1.3_Update8 (B655817 & B658867) |
Credits
Internally discovered
Advisory Product List
| Product Family | Product Branch | Product List |
|---|---|---|
Firebox
|
Fireware OS 12.x | T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV |
Firebox
|
Fireware OS 12.5.x | T15, T35 |