Login Sign Up

CVE-2022-25361

9.1 CRITICAL

📋 TL;DR

CVE-2022-25361 allows unauthenticated remote attackers to delete arbitrary files from specific directories on WatchGuard Firebox and XTM appliances. This affects Fireware OS versions before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x before 12.5.9_U2. Organizations using these vulnerable firewall appliances are at risk.

💻 Affected Systems

Products:
  • WatchGuard Firebox
  • WatchGuard XTM
Versions: Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, 12.2.x through 12.5.x before 12.5.9_U2
Operating Systems: Fireware OS
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations of affected versions are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Fireware by Watchguard

View all CVEs affecting Fireware →

Fireware by Watchguard

View all CVEs affecting Fireware →

Fireware by Watchguard

View all CVEs affecting Fireware →

Fireware by Watchguard

View all CVEs affecting Fireware →

Fireware by Watchguard

View all CVEs affecting Fireware →

Fireware by Watchguard

View all CVEs affecting Fireware →

Fireware by Watchguard

View all CVEs affecting Fireware →

Fireware by Watchguard

View all CVEs affecting Fireware →

Fireware by Watchguard

View all CVEs affecting Fireware →

Fireware by Watchguard

View all CVEs affecting Fireware →

Fireware by Watchguard

View all CVEs affecting Fireware →

Fireware by Watchguard

View all CVEs affecting Fireware →

Fireware by Watchguard

View all CVEs affecting Fireware →

Fireware by Watchguard

View all CVEs affecting Fireware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Critical system files could be deleted, causing device malfunction, service disruption, or complete system failure, potentially leading to network downtime.

🟠

Likely Case

Attackers delete configuration or log files to disrupt operations, hide evidence of other attacks, or cause service interruptions.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to specific directories, preventing system-wide compromise.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires no authentication and appears straightforward based on vulnerability description.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fireware OS 12.7.2_U2, 12.1.3_U8, or 12.5.9_U2 and later

Vendor Advisory: https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2022-00004

Restart Required: Yes

Instructions:

1. Log into WatchGuard System Manager 2. Check current Fireware OS version 3. Download appropriate patch from WatchGuard support portal 4. Apply update through System Manager 5. Reboot appliance after update completes

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict network access to management interfaces using firewall rules or network segmentation

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate WatchGuard appliances from untrusted networks
  • Monitor for suspicious file deletion attempts in system logs and implement alerting

🔍 How to Verify

Check if Vulnerable:

Check Fireware OS version in WatchGuard System Manager or via SSH: show version

Check Version:

show version

Verify Fix Applied:

Verify version is 12.7.2_U2, 12.1.3_U8, 12.5.9_U2 or later, and test file deletion attempts fail

📡 Detection & Monitoring

Log Indicators:

  • Unexpected file deletion events in system logs
  • Failed authentication attempts followed by file operations

Network Indicators:

  • Unusual traffic patterns to management interfaces
  • HTTP requests attempting file deletion operations

SIEM Query:

source="watchguard" AND (event_type="file_delete" OR action="delete") AND src_ip NOT IN [trusted_ips]

📊 Metadata

CVE ID: CVE-2022-25361
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Published: June 7, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON