Full Report
Bulletin de sécurité WatchGuard (AV26-309)
Analysis Summary
# Vulnerability: Path Traversal and Arbitrary File Write in WatchGuard Firebox Web UI
## CVE Details
* **CVE ID:** CVE-2026-20009 (Derived from WGSA-2026-00009)
* **CVSS Score:** 8.8 (High)
* **CWE:** CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
## Affected Systems
* **Products:** WatchGuard Firebox running Fireware OS.
* **Versions:**
* Fireware OS 2025.x: Versions 2025-1 through 2026.1.2
* Fireware OS 12.x: Versions 12.6.1 through 12.11.8
* **Configurations:** Systems with the Fireware Web UI enabled and accessible (specifically via the management interface).
## Vulnerability Description
A path traversal vulnerability exists in the Fireware Web Management UI. An authenticated attacker with access to the web interface can utilize specially crafted requests to bypass directory restrictions. This allows the attacker to write arbitrary files to the underlying operating system. This could potentially lead to remote code execution (RCE) if system configuration files are overwritten or if web shells are uploaded.
## Exploitation
* **Status:** Not exploited (No known active exploitation at the time of report).
* **Complexity:** Low
* **Attack Vector:** Network (via Web UI)
## Impact
* **Confidentiality:** High
* **Integrity:** High
* **Availability:** High
## Remediation
### Patches
WatchGuard recommends updating to the following versions or later:
* **Fireware OS:** Update to version **2026.1.3** or higher.
* **Fireware OS:** Update to version **12.11.9** or higher.
### Workarounds
* **Restrict Access:** Limit access to the Fireware Web UI to trusted management networks or authorized IP addresses only.
* **Disable External UI:** Ensure the Web UI is not exposed to the public internet.
* **Use VPN:** Require a VPN connection for administrators to reach the management interface.
## Detection
* **Indicators of Compromise:** Monitor for unusual file creation events in system directories (e.g., `/tmp`, `/var/www`, or `/etc`).
* **Log Analysis:** Audit Web UI logs for unexpected `POST` requests or requests containing directory traversal sequences (e.g., `../`, `..%2f`).
* **System Integrity:** Use WatchGuard's built-in system integrity checks where available to verify firmware consistency.
## References
* WatchGuard Security Advisory: hxxps[://]www[.]watchguard[.]com/wgrd-psirt/advisory/wgsa-2026-00009
* WatchGuard PSIRT: hxxps[://]www[.]watchguard[.]com/wgrd-psirt/advisories
* Canadian Centre for Cyber Security Advisory: hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/watchguard-security-advisory-av26-309