CVE: Multiple | CVSS: 8.8–9.1 (High–Critical) | Vendor: WatchGuard | Product: Firebox (Fireware OS)
What Is the Vulnerability
Multiple high-to-critical-severity remote code execution vulnerabilities have been disclosed in WatchGuard Fireware OS, the operating system that powers WatchGuard Firebox firewall appliances. These flaws allow authenticated attackers to execute arbitrary code on affected devices, leading to complete device takeover.
Firebox appliances serve as the primary security boundary for many small-to-medium businesses and mid-market enterprises. They control network traffic, terminate VPN tunnels, enforce security policies, and provide deep packet inspection. Full compromise of a Firebox device means an attacker can intercept and manipulate all network traffic, pivot into internal networks via VPN tunnels, disable security controls, and use the appliance as a persistent foothold inside the network perimeter.
Versions Affected
- Fireware OS 12.10.x before 12.10.5
- Fireware OS 12.9.x before 12.9.5
- Fireware OS 12.8.x and earlier (EOL branches may be affected; contact WatchGuard)
Exploited?
No known active exploitation at the time of writing. However, given that these are authenticated RCE vulnerabilities on widely deployed enterprise firewall appliances, the window between disclosure and active exploitation is typically narrow. Firewall vulnerabilities are highly prized by both financially motivated threat actors and nation-state groups, as they provide direct access to protected network environments.
Fix
WatchGuard has released patches in the following versions:
- Upgrade to Fireware OS 12.10.5 or later
- Upgrade to Fireware OS 12.9.5 or later
- For EOL versions, migrate to a supported release branch and apply the latest patch
Firmware updates are available through the WatchGuard support portal and can be applied via the Fireware Web UI or WatchGuard System Manager.
Recommendations
- Apply WatchGuard updates immediately. Prioritise internet-facing Firebox appliances first, then internal deployments.
- Audit firewall configurations for any unauthorised changes, unexpected administrative accounts, or anomalous firewall rules that may indicate prior compromise.
- Restrict management access to trusted IP addresses only. Do not expose the Firebox management interface to the internet if it is not absolutely necessary.
- Enable multi-factor authentication for all Firebox administrative accounts to raise the bar for authenticated exploitation.
- Monitor for CISA KEV addition and any changes in exploitation activity, which would indicate the vulnerability is being actively targeted.
References
- CybersecurityNews — WatchGuard Firebox RCE coverage
- WatchGuard Security Advisory
Part of the Vulnerability Intelligence series. See the July 3, 2026 VIR.
