CVE-2025-13938
📋 TL;DR
This stored cross-site scripting (XSS) vulnerability in WatchGuard Fireware OS allows attackers to inject malicious scripts into web pages generated by the Autotask Technology Integration module. When users view these compromised pages, the scripts execute in their browsers, potentially stealing credentials or performing unauthorized actions. Organizations using affected Fireware OS versions with the Autotask module enabled are at risk.
💻 Affected Systems
- WatchGuard Fireware OS
📦 What is this software?
Fireware by Watchguard
Fireware by Watchguard
Fireware by Watchguard
⚠️ Risk & Real-World Impact
Worst Case
An attacker could steal administrator credentials, hijack administrative sessions, install backdoors, or pivot to internal network resources, potentially leading to full network compromise.
Likely Case
Attackers would steal session cookies or credentials from administrators accessing the management interface, enabling unauthorized access to firewall configuration and network controls.
If Mitigated
With proper input validation and output encoding, malicious scripts would be neutralized before reaching user browsers, preventing execution.
🎯 Exploit Status
Exploitation requires access to the management interface and knowledge of the Autotask module's input fields. No public exploits have been reported as of the advisory date.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fireware OS 12.11.5, 12.5.14, 2025.1.3
Vendor Advisory: https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00023
Restart Required: Yes
Instructions:
1. Download the appropriate firmware update from WatchGuard Support. 2. Backup current configuration. 3. Apply the firmware update through the Web UI or CLI. 4. Reboot the firewall to complete installation. 5. Verify the new version is running.
🔧 Temporary Workarounds
Disable Autotask Technology Integration Module
allTemporarily disable the vulnerable module until patching can be completed
Navigate to System > Configuration > Modules in Web UI and disable Autotask Technology Integration
Restrict Management Interface Access
allLimit access to the firewall management interface to trusted IP addresses only
Configure firewall rules to restrict Web UI access to specific management networks
🧯 If You Can't Patch
- Implement strict input validation and output encoding for all Autotask module fields
- Deploy a web application firewall (WAF) with XSS protection rules in front of the management interface
🔍 How to Verify
Check if Vulnerable:
Check Fireware OS version via Web UI (System > Status) or CLI (show version). If version falls within affected ranges and Autotask module is enabled, system is vulnerable.Check Version:
show versionVerify Fix Applied:
After patching, verify the OS version is 12.11.5, 12.5.14, or 2025.1.3 or later. Test Autotask module functionality to ensure it works with sanitized inputs.📡 Detection & Monitoring
Log Indicators:
- Unusual input patterns in Autotask module logs
- Multiple failed login attempts followed by successful authentication
- Administrative sessions from unexpected IP addresses
Network Indicators:
- HTTP requests containing script tags or JavaScript payloads to management interface
- Outbound connections from firewall to unexpected external domains
SIEM Query:
source="firewall_logs" AND (http_uri="*autotask*" AND (http_query="*<script>*" OR http_query="*javascript:*"))