CVE-2025-6946
📋 TL;DR
This stored cross-site scripting (XSS) vulnerability in WatchGuard Fireware OS allows authenticated administrators to inject malicious scripts via the IPS module. Attackers could execute arbitrary JavaScript in the context of the administrator's browser session. This affects locally managed Firebox devices running Fireware OS versions 12.0 through 12.11.2.
💻 Affected Systems
- WatchGuard Firebox
📦 What is this software?
Fireware by Watchguard
Fireware by Watchguard
⚠️ Risk & Real-World Impact
Worst Case
An attacker with authenticated administrator access could inject persistent malicious scripts that steal session cookies, perform administrative actions, or pivot to other systems.
Likely Case
Malicious administrator or compromised admin account could inject scripts to maintain persistence, exfiltrate data, or manipulate firewall configurations.
If Mitigated
With proper access controls and monitoring, impact is limited to the specific admin session and can be detected through log analysis.
🎯 Exploit Status
Exploitation requires authenticated administrator access. The vulnerability is in the IPS module web interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 12.11.3 or later
Vendor Advisory: https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00011
Restart Required: Yes
Instructions:
1. Log into Fireware Web UI as administrator. 2. Navigate to System > Upgrade. 3. Download and install Fireware OS 12.11.3 or later. 4. Reboot the device after installation completes.
🔧 Temporary Workarounds
Restrict Administrative Access
allLimit administrative access to trusted IP addresses and users only
Monitor Admin Sessions
allImplement session monitoring and alerting for unusual administrative activities
🧯 If You Can't Patch
- Implement strict access controls for administrative interfaces
- Enable detailed logging and monitor for suspicious IPS module activities
🔍 How to Verify
Check if Vulnerable:
Check Fireware OS version via Web UI: System > Status > Version. If version is between 12.0 and 12.11.2 inclusive, device is vulnerable.Check Version:
ssh admin@firebox 'show version' or check via Web UIVerify Fix Applied:
After patching, verify version is 12.11.3 or later in System > Status > Version.📡 Detection & Monitoring
Log Indicators:
- Unusual IPS module configuration changes
- Multiple failed login attempts followed by successful admin login
- Suspicious JavaScript in IPS configuration fields
Network Indicators:
- Unusual outbound connections from firewall management interface
- Traffic patterns suggesting data exfiltration
SIEM Query:
source="firewall_logs" AND (event_type="config_change" AND module="ips") OR (event_type="auth" AND user="admin" AND result="success" AND src_ip NOT IN trusted_ips)