CVE-2025-1545
📋 TL;DR
An XPath injection vulnerability in WatchGuard Fireware OS allows remote unauthenticated attackers to extract sensitive configuration data from Firebox devices. This affects systems with authentication hotspots configured. The vulnerability impacts multiple Fireware OS versions from 11.11 through 2025.1.2.
💻 Affected Systems
- WatchGuard Firebox
📦 What is this software?
Fireware by Watchguard
Fireware by Watchguard
Fireware by Watchguard
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Firebox configuration including credentials, network topology, firewall rules, and VPN configurations leading to network breach.
Likely Case
Extraction of sensitive configuration data such as user credentials, network settings, and security policies.
If Mitigated
Limited information disclosure if proper network segmentation and access controls are implemented.
🎯 Exploit Status
XPath injection typically has low exploitation complexity once the injection point is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific fixed versions
Vendor Advisory: https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00025
Restart Required: Yes
Instructions:
1. Access WatchGuard System Manager 2. Connect to affected Firebox 3. Check for available updates 4. Apply Fireware OS update 5. Reboot device
🔧 Temporary Workarounds
Disable Authentication Hotspots
allRemove or disable all authentication hotspots to eliminate the attack vector
Restrict Web Interface Access
allLimit access to management interfaces using firewall rules and network segmentation
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Firebox management interfaces
- Deploy web application firewall (WAF) with XPath injection protection rules
🔍 How to Verify
Check if Vulnerable:
Check Fireware OS version and verify if authentication hotspots are configuredCheck Version:
show version (via CLI) or check in Web UIVerify Fix Applied:
Verify Fireware OS version is updated beyond affected ranges and test web interface📡 Detection & Monitoring
Log Indicators:
- Unusual XPath queries in web server logs
- Multiple failed authentication attempts
- Unexpected configuration access patterns
Network Indicators:
- Unusual HTTP POST requests to authentication endpoints
- Suspicious parameter values in web requests
SIEM Query:
source="firebox-logs" AND (http_method="POST" AND uri CONTAINS "/auth/") AND (param_values CONTAINS "' OR '" OR param_values CONTAINS "' AND '")