Critical WatchGuard Firebox Flaws Let Attackers Bypass Integrity Checks and Inject Malicious Code

WatchGuard has disclosed a critical batch of vulnerabilities affecting its widely-deployed Firebox firewall appliances, potentially exposing thousands of organizations to unauthorized access, data theft, and system compromise.

The vulnerabilities range from boot-time integrity-check bypasses to authenticated code-execution flaws, with severity levels ranging from Medium to High according to CVSS ratings.

All advisories were published on December 4, 2025, signaling an urgent need for enterprise security teams to prioritize updates.

Sponsored

class="wp-block-heading" id="h-the-boot-time-integrity-bypass-a-critical-oversight">The Boot-Time Integrity Bypass: A Critical Oversight

The most concerning vulnerability from a defensive perspective is WGSA-2025-00026 (CVE-2025-13940), which allows attackers to bypass Fireware OS boot-time system integrity checks with a CVSS score of 6.7.

This Expected Behavior Violation flaw enables adversaries to prevent the Firebox from shutting down in the event of a system integrity check failure, potentially allowing malicious code to persist on the device undetected.

While the on-demand system integrity check feature still functions correctly in the Web UI, the boot-time bypass represents a critical gap in the device’s defense mechanisms.

Affected versions include Fireware OS 12.8.1 through 12.11.4 and 2025.1 through 2025.1.2.

More immediately exploitable is WGSA-2025-00025 (CVE-2025-1545), an XPath Injection vulnerability with a High impact rating and a CVSS score of 8.2.

This flaw allows unauthenticated remote attackers to extract sensitive configuration information from Firebox devices with authentication hotspots configured.

The vulnerability affects multiple Fireware OS versions dating back to 11.11, indicating a long window of exposure.

Several High-severity out-of-bounds write vulnerabilities (WGSA-2025-00020, WGSA-2025-00019, and WGSA-2025-00017) allow authenticated privileged users to execute arbitrary code through specially crafted CLI commands.

With CVSS scores ranging from 8.6 to 8.7, these flaws could enable lateral movement and system takeover for an attacker with administrative credentials.

Additionally, WGSA-2025-00018 (CVE-2025-11838) enables unauthenticated denial-of-service attacks against Mobile User VPN and Branch Office VPN deployments using IKEv2, with a CVSS score of 8.7.

Four Medium-severity stored cross-site scripting (XSS) vulnerabilities (WGSA-2025-00024, WGSA-2025-00023, WGSA-2025-00022, WGSA-2025-00021) affect the Gateway Wireless Controller and third-party technology integrations, including Autotask, ConnectWise, and Tigerpaw.

While individually less severe, these XSS flaws could enable session hijacking and credential theft when combined with sophisticated social engineering.

WatchGuard has released patches for all affected versions. Organizations running Fireware OS 2025.1 should upgrade to version 2025.1.3 immediately.

Those on version 12.x should upgrade to 12.11.5, while T15 and T35 model users on version 12.5.x should update to 12.5.14.

Older Fireware OS 11.x versions have reached end of life and require a complete platform migration.

The discovery of these 10 vulnerabilities in WatchGuard Firebox appliances underscores the importance of regular security updates and patch management in enterprise firewall infrastructure.

Given the widespread deployment of Firebox devices as perimeter security solutions, organizations should treat these patches as critical and implement them in accordance with their established change management protocols to minimize exposure windows.

Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates

The post Critical WatchGuard Firebox Flaws Let Attackers Bypass Integrity Checks and Inject Malicious Code appeared first on Cyber Security News.