CVE-2025-13940
📋 TL;DR
This vulnerability in WatchGuard Fireware OS allows attackers to bypass the boot-time system integrity check and prevent the Firebox from shutting down when integrity checks fail. It affects Fireware OS versions 12.8.1 through 12.11.4 and 2025.1 through 2025.1.2. The on-demand integrity check in the Web UI still works correctly.
💻 Affected Systems
- WatchGuard Firebox appliances running Fireware OS
📦 What is this software?
Fireware by Watchguard
Fireware by Watchguard
⚠️ Risk & Real-World Impact
Worst Case
An attacker could maintain persistent access to a compromised Firebox by preventing automatic shutdown after tampering with system files, potentially enabling ongoing network surveillance or lateral movement.
Likely Case
Attackers who have already gained some access could use this to maintain persistence and avoid detection by preventing the system from shutting down when integrity violations are detected.
If Mitigated
With proper monitoring and the working on-demand integrity checks, administrators can still detect compromises through manual verification in the Web UI.
🎯 Exploit Status
Exploitation likely requires some level of initial access to the system to trigger the integrity check bypass.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fireware OS 12.11.5 and 2025.1.3 or later
Vendor Advisory: https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00026
Restart Required: Yes
Instructions:
1. Log into WatchGuard System Manager. 2. Check for available updates. 3. Download and install Fireware OS 12.11.5 or 2025.1.3 or later. 4. Reboot the Firebox appliance.
🔧 Temporary Workarounds
Enable on-demand integrity checks
allRegularly perform manual system integrity checks through the Fireware Web UI to detect potential compromises.
🧯 If You Can't Patch
- Implement strict network segmentation to limit the impact if a Firebox is compromised
- Enable detailed logging and monitoring for unusual Firebox behavior or configuration changes
🔍 How to Verify
Check if Vulnerable:
Check Fireware OS version via Web UI: System > About, or CLI: show versionCheck Version:
show versionVerify Fix Applied:
Verify Fireware OS version is 12.11.5 or later for 12.x branch, or 2025.1.3 or later for 2025.x branch📡 Detection & Monitoring
Log Indicators:
- Failed boot-time integrity checks without corresponding shutdown events
- Unexpected system modifications or configuration changes
Network Indicators:
- Unusual outbound connections from Firebox management interfaces
- Anomalous traffic patterns that might indicate compromised firewall rules
SIEM Query:
source="firebox" AND (event_type="integrity_check" AND result="failed" AND NOT action="shutdown")