cbcvebase.
CVE-2022-26318
published 2022-03-04

CVE-2022-26318: On WatchGuard Firebox and XTM appliances, an unauthenticated user can execute arbitrary code, aka FBX-22786. This vulnerability impacts Fireware OS before…

PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
78.30%
99.5th percentile
On WatchGuard Firebox and XTM appliances, an unauthenticated user can execute arbitrary code, aka FBX-22786. This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x before 12.5.9_U2.

Affected

6 ranges
VendorProductVersion rangeFixed in
watchguardfireware
watchguardfireware
watchguardfireware
watchguardfireware>= 12.0.0 < 12.1.312.1.3
watchguardfireware>= 12.5 < 12.5.912.5.9
watchguardfireware>= 12.7.0 < 12.7.212.7.2

Detection & IOCsextracted from sources · hover to see the quote

  • ·The exploit targets the administration interface which may run on either port 8080 or 4117 — ensure detection rules cover both ports, not just the default.
  • ·M3 Snort rule (sid:2035635) was updated as recently as 2024-04-25, indicating ongoing refinement — ensure the latest revision (rev:3) is deployed.
  • ·M1 and M3 rules include 'deployment SSLDecrypt' metadata, indicating that TLS inspection/SSL decryption must be enabled on the monitoring sensor for these rules to fire on encrypted traffic.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.