CVE-2025-13936
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in WatchGuard Fireware OS's Tigerpaw Technology Integration module allows attackers to inject malicious scripts into web pages. When users view these compromised pages, the scripts execute in their browsers, potentially stealing credentials or performing unauthorized actions. This affects Fireware OS versions 12.4 through 12.11.4, 12.5 through 12.5.13, and 2025.1 through 2025.1.2.
💻 Affected Systems
- WatchGuard Fireware OS
📦 What is this software?
Fireware by Watchguard
Fireware by Watchguard
Fireware by Watchguard
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, gain full control of the firewall, pivot to internal networks, and deploy ransomware or exfiltrate sensitive data.
Likely Case
Attackers steal session cookies or credentials from authenticated users, then impersonate them to modify firewall rules or access protected resources.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized before reaching users' browsers, preventing exploitation.
🎯 Exploit Status
Exploitation requires the attacker to have access to inject malicious scripts into the vulnerable module, typically through authenticated input fields.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fireware OS 12.11.5, 12.5.14, 2025.1.3 or later
Vendor Advisory: https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00021
Restart Required: Yes
Instructions:
1. Log into WatchGuard System Manager. 2. Navigate to the device management interface. 3. Check for available updates under the software update section. 4. Download and apply the latest Fireware OS version (12.11.5, 12.5.14, or 2025.1.3+). 5. Reboot the firewall to complete the update.
🔧 Temporary Workarounds
Disable Tigerpaw Technology Integration Module
allTemporarily disable the vulnerable module if not required for operations.
Navigate to Fireware Web UI > System > Modules > Tigerpaw Technology Integration > Disable
Implement Web Application Firewall (WAF) Rules
allDeploy WAF rules to block XSS payloads targeting the vulnerable endpoints.
Add WAF rule: SecRule ARGS "@rx <script>" "id:1001,phase:2,deny,status:403,msg:'XSS Attempt'" (example for ModSecurity)
🧯 If You Can't Patch
- Restrict access to the Fireware management interface to trusted IP addresses only using firewall rules.
- Implement strong input validation and output encoding in custom integrations to sanitize user inputs.
🔍 How to Verify
Check if Vulnerable:
Check the Fireware OS version via the web interface or CLI. If version is within affected ranges and Tigerpaw module is enabled, the system is vulnerable.Check Version:
From CLI: show version | grep FirewareVerify Fix Applied:
After patching, verify the OS version is 12.11.5, 12.5.14, 2025.1.3 or later, and test input fields in the Tigerpaw module for XSS payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to Tigerpaw module endpoints with script tags or JavaScript payloads.
- Multiple failed login attempts followed by successful logins from new IPs.
Network Indicators:
- HTTP requests containing <script>, javascript:, or other XSS vectors to the firewall management interface.
SIEM Query:
source="firewall_logs" AND (url="*tigerpaw*" AND (body="*<script>*" OR body="*javascript:*"))