Login Sign Up

CVE-2025-13939

6.1 MEDIUM
Cross-Site Scripting

📋 TL;DR

This CVE describes a stored cross-site scripting (XSS) vulnerability in WatchGuard Fireware OS's Gateway Wireless Controller module. Attackers can inject malicious scripts that execute when administrators view affected pages, potentially compromising administrative sessions. Affected versions include Fireware OS 11.7.2 through 11.12.4+541730, 12.0 through 12.11.4, 12.5 through 12.5.13, and 2025.1 through 2025.1.2.

💻 Affected Systems

Products:
  • WatchGuard Fireware OS
Versions: 11.7.2 up to and including 11.12.4+541730, 12.0 up to and including 12.11.4, 12.5 up to and including 12.5.13, 2025.1 up to and including 2025.1.2
Operating Systems: Fireware OS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the Gateway Wireless Controller module within Fireware OS.

📦 What is this software?

Fireware by Watchguard

View all CVEs affecting Fireware →

Fireware by Watchguard

View all CVEs affecting Fireware →

Fireware by Watchguard

View all CVEs affecting Fireware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could steal administrator credentials, hijack administrative sessions, install backdoors, or pivot to internal network resources.

🟠

Likely Case

Attackers steal administrator session cookies or credentials, gaining unauthorized access to firewall management interface.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts are neutralized before execution.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to the management interface, typically requiring authentication or network access to the management interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific fixed versions

Vendor Advisory: https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00024

Restart Required: Yes

Instructions:

1. Review WatchGuard advisory WGSB-2025-00024. 2. Download appropriate firmware update. 3. Backup configuration. 4. Apply firmware update via management interface. 5. Reboot device.

🔧 Temporary Workarounds

Restrict Management Interface Access

all

Limit access to firewall management interface to trusted IP addresses only

Enable Content Security Policy

all

Implement CSP headers to restrict script execution

🧯 If You Can't Patch

  • Implement network segmentation to isolate management interfaces
  • Enable multi-factor authentication for administrative accounts

🔍 How to Verify

Check if Vulnerable:

Check Fireware OS version via management interface or CLI

Check Version:

show version (CLI) or check System > About in web interface

Verify Fix Applied:

Verify firmware version is updated beyond vulnerable ranges

📡 Detection & Monitoring

Log Indicators:

  • Unusual input patterns in web interface logs
  • Multiple failed login attempts followed by successful login

Network Indicators:

  • Unusual traffic to management interface from unexpected sources

SIEM Query:

source="firewall_mgmt_logs" AND (event="input_validation_failure" OR event="xss_attempt")

📊 Metadata

CVE ID: CVE-2025-13939
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.03% exploit probability (9.1th percentile)
Published: December 4, 2025
Last Updated: December 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13939, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)