CVE-2022-23176
published 2022-02-24CVE-2022-23176: WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via…
PriorityP187high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-05-02
Exploited in the wild
EPSS
12.25%
95.7th percentile
WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access. This vulnerability impacts Fireware OS before 12.7.2_U1, 12.x before 12.1.3_U3, and 12.2.x through 12.5.x before 12.5.7_U3.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| watchguard | fireware | — | — |
| watchguard | fireware | — | — |
| watchguard | fireware | — | — |
| watchguard | fireware | >= 12.0.0 < 12.1.3 | 12.1.3 |
| watchguard | fireware | >= 12.2.0 < 12.5.7 | 12.5.7 |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability allows remote attacker with unprivileged credentials to obtain a privileged management session via exposed management access — monitor for unexpected privilege escalation on management interfaces of WatchGuard Firebox/XTM appliances ↗
- →Restrict or audit exposure of WatchGuard Firebox/XTM management access interfaces to the internet; internet-exposed management access is the attack vector for this privilege escalation ↗
- ·Affected versions are Fireware OS before 12.7.2_U1, 12.x before 12.1.3_U3, and 12.2.x through 12.5.x before 12.5.7_U3 — detection/patching scope should be limited to these version ranges ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8x27-645q-g2rv: WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session
ghsa_unreviewed·2022-02-25
CVE-2022-23176 [HIGH] CWE-269 GHSA-8x27-645q-g2rv: WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session
WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access. This vulnerability impacts Fireware OS before 11.7.2_U1, 12.x before 12.1.3_U3, and 12.2.x through 12.5.x before 12.5.7_U3.
VulnCheck
WatchGuard Firebox and XTM Privilege Escalation Vulnerability
vulncheck·2022·CVSS 8.8
CVE-2022-23176 [HIGH] WatchGuard Firebox and XTM Privilege Escalation Vulnerability
WatchGuard Firebox and XTM Privilege Escalation Vulnerability
WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access.
Affected: WatchGuard Firebox and XTM Appliances
Required Action: Apply updates per vendor instructions.
Exploitation References: https://arstechnica.com/information-technology/2022/04/watchguard-failed-to-disclose-critical-flaw-exploited-by-russian-hackers/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.prio-n.com/a-year-in-review-2022-100-vulnerabilities-you-should-prioritize/; https://hub.dragos.com/hubfs/312-Year-in-Review/2022/Dragos_Year-In-Review-Report-2022.pdf
Remediation Due: 2022-05-02
CISA
WatchGuard Firebox and XTM Privilege Escalation Vulnerability
cisa·2022-04-11·CVSS 8.8
CVE-2022-23176 [HIGH] WatchGuard Firebox and XTM Privilege Escalation Vulnerability
Vulnerability: WatchGuard Firebox and XTM Privilege Escalation Vulnerability
Affected: WatchGuard Firebox and XTM
WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2022-23176
Remediation Due Date: 2022-05-02
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Critical RCE flaw impacts over 115,000 WatchGuard firewalls
blogs_bleepingcomputer·2025-12-22·CVSS 9.3
CVE-2025-14733 [CRITICAL] Critical RCE flaw impacts over 115,000 WatchGuard firewalls
## Critical RCE flaw impacts over 115,000 WatchGuard firewalls
## Sergiu Gatlan
Over 115,000 WatchGuard Firebox devices exposed online remain unpatched against a critical remote code execution (RCE) vulnerability actively exploited in attacks.
The security flaw, tracked as CVE-2025-14733 , affects Firebox firewalls running Fireware OS 11.x and later (including 11.12.4_Update1), 12.x or later (including 12.11.5), and 2025.1 up to and including 2025.1.3.
Successful exploitation enables unauthenticated attackers to execute arbitrary code remotely on vulnerable devices, following low-complexity attacks that don't require user interaction.
As WatchGuard explained in a Thursday advisory, when it released CVE-2025-14733 security updates and tagged it as exploited in the wild, unpatched Fireb
Bleepingcomputer
New critical WatchGuard Firebox firewall flaw exploited in attacks
blogs_bleepingcomputer·2025-12-19·CVSS 9.3
CVE-2025-14733 [CRITICAL] New critical WatchGuard Firebox firewall flaw exploited in attacks
## New critical WatchGuard Firebox firewall flaw exploited in attacks
## Sergiu Gatlan
WatchGuard has warned customers to patch a critical, actively exploited remote code execution (RCE) vulnerability in its Firebox firewalls.
Tracked as CVE-2025-14733 , this security flaw affects firewalls running Fireware OS 11.x and later (including 11.12.4_Update1), 12.x or later (including 12.11.5), and 2025.1 up to and including 2025.1.3.
The vulnerability is due to an out-of-bounds write weakness that enables unauthenticated attackers to execute malicious code remotely on unpatched devices, following successful exploitation in low-complexity attacks that don't require user interaction.
While unpatched Firebox firewalls are only vulnerable to attacks if configured to use IKEv2 VPN, WatchGuard no
https://arstechnica.com/information-technology/2022/04/watchguard-failed-to-disclose-critical-flaw-exploited-by-russian-hackers/https://securityportal.watchguard.comhttps://www.watchguard.com/support/release-notes/fireware/12/en-US/EN_ReleaseNotes_Fireware_12_1_3_U7/index.html#Fireware/en-US/resolved_issues.htmlhttps://www.watchguard.com/support/release-notes/fireware/12/en-US/EN_ReleaseNotes_Fireware_12_7/index.html#Fireware/en-US/resolved_issues.htmlhttps://www.watchguard.com/support/release-notes/fireware/12/en-US/EN_ReleaseNotes_Fireware_12_7_2/index.html#Fireware/en-US/resolved_issues.htmlhttps://arstechnica.com/information-technology/2022/04/watchguard-failed-to-disclose-critical-flaw-exploited-by-russian-hackers/https://securityportal.watchguard.comhttps://www.watchguard.com/support/release-notes/fireware/12/en-US/EN_ReleaseNotes_Fireware_12_1_3_U7/index.html#Fireware/en-US/resolved_issues.htmlhttps://www.watchguard.com/support/release-notes/fireware/12/en-US/EN_ReleaseNotes_Fireware_12_7/index.html#Fireware/en-US/resolved_issues.htmlhttps://www.watchguard.com/support/release-notes/fireware/12/en-US/EN_ReleaseNotes_Fireware_12_7_2/index.html#Fireware/en-US/resolved_issues.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-23176
2022-02-24
Published
2022-04-11
Added to CISA KEV
Exploited in the wild