WatchGuard disclosed multiple high-severity vulnerabilities in Firebox appliances on December 4, 2025, including flaws that let privileged attackers execute arbitrary code and bypass boot-time integrity checks.
These issues affect Fireware OS versions up to 12.11.4 and 2025.1.2, potentially compromising network security gateways used by enterprises.
Attackers with privileged access exploit out-of-bounds write flaws in the management CLI to inject malicious code.
For instance, crafted “ping” commands trigger memory corruption beyond allocated bounds, enabling arbitrary code execution.
Similar vulnerabilities in IPSec configuration and certificate request commands allow overwriting critical memory regions, leading to complete control over the device process.
Combined with CVE-2025-13940, a medium-severity bypass of boot-time system integrity checks, tampered firmware persists without triggering a shutdown. However, on-demand web UI checks detect failures.
Key Vulnerabilities
| Advisory ID | CVE ID | CVSS Score | Impact | Description [web id] |
|---|---|---|---|---|
| WGSA-2025-00026 | CVE-2025-13940 | 6.7 | Medium | Boot-time integrity check bypass via expected behavior violation |
| WGSA-2025-00020 | CVE-2025-12196 | 8.6 | High | Authenticated OOB write in CLI ping command for arbitrary code execution |
| WGSA-2025-00019 | CVE-2025-12195 | 8.6 | High | Authenticated OOB write in CLI IPSec configuration for arbitrary code execution |
| WGSA-2025-00017 | CVE-2025-12026 | 8.6 | High | Authenticated OOB write in certd CLI for arbitrary code execution |
| WGSA-2025-00025 | CVE-2025-1545 | 8.2 | High | Unauthenticated XPath injection in web CGI exposing config data |
These flaws require privileged credentials for most exploits, but initial access via phishing or prior compromises amplifies risk.
The OOB writes stem from insufficient bounds checking in CLI parsers, allowing oversized inputs to corrupt adjacent heap or stack memory.
CVSS vectors highlight network accessibility and the high privileges required, scoring up to 8.7 for availability impacts in the related IKEv2 memory corruption.
Mitigation Steps
Administrators must update to the resolved versions: Fireware 12.11.5, 12.5.14 (T-series), or 2025.1.3 immediately.
Disable CLI access if unused, enforce least privilege, and monitor for anomalous commands.
No workarounds exist; end-of-life 11.x versions remain vulnerable WatchGuard credits Cody Sixteen and btaol for their disclosures.
Organizations using Firebox for VPN or gateway protection face elevated risks from persistent code injection undetected by boot checks.
Prompt patching prevents supply chain-like compromises in firewalls.
