CVE-2025-13937
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in WatchGuard Fireware OS allows attackers to inject malicious scripts into web pages generated by the ConnectWise Technology Integration module. When users view affected pages, the scripts execute in their browser context, potentially stealing credentials or performing unauthorized actions. This affects Fireware OS versions 12.4-12.11.4, 12.5-12.5.13, and 2025.1-2025.1.2.
💻 Affected Systems
- WatchGuard Fireware OS
📦 What is this software?
Fireware by Watchguard
Fireware by Watchguard
Fireware by Watchguard
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, hijack sessions, install backdoors, pivot to internal networks, or deploy ransomware through the firewall management interface.
Likely Case
Attackers with access to the management interface inject malicious scripts that steal session cookies or credentials when administrators view affected pages.
If Mitigated
With proper network segmentation and access controls, impact is limited to the management interface with no lateral movement to protected networks.
🎯 Exploit Status
Exploitation requires access to the management interface and ability to inject payloads into vulnerable fields. No authentication bypass required if attacker already has access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 12.11.4, 12.5.13, and 2025.1.2
Vendor Advisory: https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00022
Restart Required: Yes
Instructions:
1. Log into WatchGuard System Manager 2. Check current Fireware OS version 3. Download latest firmware from WatchGuard portal 4. Upload and install update 5. Reboot firewall
🔧 Temporary Workarounds
Restrict Management Interface Access
allLimit access to firewall management interface to trusted IP addresses only
Configure firewall rules to restrict management interface access to specific source IPs
Disable ConnectWise Integration
allTemporarily disable the ConnectWise Technology Integration module if not required
Navigate to System > ConnectWise Integration and disable the feature
🧯 If You Can't Patch
- Implement strict network segmentation to isolate firewall management interface
- Enable multi-factor authentication for all administrative accounts
🔍 How to Verify
Check if Vulnerable:
Check Fireware OS version in System Manager under System > Status. If version falls within affected ranges and ConnectWise Integration is enabled, system is vulnerable.Check Version:
show version (via CLI) or check System > Status in Web UIVerify Fix Applied:
Verify Fireware OS version is 12.11.5+, 12.5.14+, or 2025.1.3+ after update. Test XSS payloads in ConnectWise integration fields to confirm sanitization.📡 Detection & Monitoring
Log Indicators:
- Unusual input patterns in ConnectWise integration logs
- Multiple failed login attempts followed by successful login
- Administrative sessions from unexpected IP addresses
Network Indicators:
- HTTP requests containing script tags or JavaScript to management interface
- Outbound connections from firewall to unexpected destinations
SIEM Query:
source="firewall_mgmt" AND (http_uri="*<script>*" OR http_uri="*javascript:*" OR http_user_agent="*<script>*")