Full Report
WatchGuard security advisory (AV26-309)
Analysis Summary
# Vulnerability: WatchGuard Fireware OS Path Traversal and Arbitrary File Write
## CVE Details
- **CVE ID:** CVE-2026-00009 (Assigned via WGSA-2026-00009)
- **CVSS Score:** 8.8 (High)
- **CWE:** CWE-22 (Improper Limitation of a Pathname to a Restricted Directory / Path Traversal)
## Affected Systems
- **Products:** WatchGuard Firebox running Fireware OS
- **Versions:**
- Fireware OS 2025: Versions 2025.1.0 through 2026.1.2
- Fireware OS 12.x: Versions 12.6.1 through 12.11.8
- **Configurations:** Systems with the Fireware Web UI enabled and accessible (particularly if exposed to the WAN).
## Vulnerability Description
A path traversal vulnerability exists in the Fireware Web UI. An authenticated attacker with sufficient privileges can exploit this flaw by sending a specially crafted request to the web management interface. This allow the attacker to bypass directory restrictions and write arbitrary files to the underlying filesystem.
## Exploitation
- **Status:** Not exploited (No confirmed reports of active exploitation in the wild at the time of advisory release).
- **Complexity:** Low
- **Attack Vector:** Network (Typically requires access to the Web UI port, default 8080).
## Impact
- **Confidentiality:** High (Potential to read sensitive configuration files).
- **Integrity:** High (Arbitrary file write allows for modification of system files or configuration).
- **Availability:** High (System stability can be compromised by overwriting critical OS files).
## Remediation
### Patches
WatchGuard has released the following firmware updates to address this vulnerability:
- **Fireware OS 2025:** Update to version **2026.1.3** or higher.
- **Fireware OS 12.x:** Update to version **12.11.9** or higher.
### Workarounds
- **Restrict Management Access:** Ensure the Web UI is not accessible from the Internet (WAN). Limit access to trusted internal IP addresses or via VPN only.
- **Disable Web UI:** If management is performed via Command Line (CLI) or WatchGuard System Manager (WSM), disable the Web UI entirely.
## Detection
- **Indicators of compromise:** Audit logs showing unusual administrative sessions or file upload activities from unexpected IP addresses.
- **Detection methods and tools:** Monitor for directory traversal patterns (e.g., `../`, `..%2f`) in web server access logs targeting the Firebox management port.
## References
- WatchGuard PSIRT Advisory: hxxps[://]www[.]watchguard[.]com/wgrd-psirt/advisory/wgsa-2026-00009
- Canadian Centre for Cyber Security Alert: hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/watchguard-security-advisory-av26-309
- WatchGuard Security Advisories Index: hxxps[://]www[.]watchguard[.]com/wgrd-psirt/advisories