Firebox Management Privilege Escallation Vulnerability

Advisory ID

WGSA-2021-00004

CVE

CVE-2022-23176

Impact

High

Status

Resolved

Product Family

Firebox

Published Date

2021-12-30

Updated Date

2025-12-05

Workaround Available

True

CVSS Score

8.8

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Updated September 5 2025: Updated to clarify Fireware OS 12.3.1 Update 2 (FIPS-certified release) resolves this issue
WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access.
WatchGuard believes the sophisticated threat actor Sandworm is exploiting this vulnerability in the wild. Please see our Cyclops Blink FAQ for additional information.

Affected

This vulnerability affects Fireware OS 12.0 up to and including 12.7.2 (B647073)

Resolution

Vulnerable Version	Resolved Version
12.x	12.7.2_Update1 (B652363 & B652282)
12.5.x (T15 & T35 models)	12.5.7_Update3 (B640389)
12.3.1 (FIPS-certified release)	12.3.1_Update2 (B675192)
12.1.x (XTM 800, 1500, 2500 and XTMv models)	12.1.3_Update3 (B608021)

Workaround

This vulnerability requires network access to management (WSM or the WebUI) on affected devices. Firebox and XTM administrators should follow recommended best practices and restrict management access to trusted networks only.

Advisory Product List

Product Family	Product Branch	Product List
Firebox	Fireware OS 12.x	T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV
Firebox	Fireware OS 12.5.x	T15, T35

Liste consultative

Go to