CVE-2022-26318
published 2022-03-04CVE-2022-26318: On WatchGuard Firebox and XTM appliances, an unauthenticated user can execute arbitrary code, aka FBX-22786. This vulnerability impacts Fireware OS before…
PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
78.30%
99.5th percentile
On WatchGuard Firebox and XTM appliances, an unauthenticated user can execute arbitrary code, aka FBX-22786. This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x before 12.5.9_U2.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| watchguard | fireware | — | — |
| watchguard | fireware | — | — |
| watchguard | fireware | — | — |
| watchguard | fireware | >= 12.0.0 < 12.1.3 | 12.1.3 |
| watchguard | fireware | >= 12.5 < 12.5.9 | 12.5.9 |
| watchguard | fireware | >= 12.7.0 < 12.7.2 | 12.7.2 |
Detection & IOCsextracted from sources · hover to see the quote
- ·The exploit targets the administration interface which may run on either port 8080 or 4117 — ensure detection rules cover both ports, not just the default. ↗
- ·M3 Snort rule (sid:2035635) was updated as recently as 2024-04-25, indicating ongoing refinement — ensure the latest revision (rev:3) is deployed.
- ·M1 and M3 rules include 'deployment SSLDecrypt' metadata, indicating that TLS inspection/SSL decryption must be enabled on the monitoring sensor for these rules to fire on encrypted traffic.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vvw7-v96v-gmxr: On WatchGuard Firebox and XTM appliances, an unauthenticated user can execute arbitrary code, aka FBX-22786
ghsa_unreviewed·2022-03-05
CVE-2022-26318 [CRITICAL] GHSA-vvw7-v96v-gmxr: On WatchGuard Firebox and XTM appliances, an unauthenticated user can execute arbitrary code, aka FBX-22786
On WatchGuard Firebox and XTM appliances, an unauthenticated user can execute arbitrary code, aka FBX-22786. This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x before 12.5.9_U2.
VulnCheck
WatchGuard Firebox and XTM Appliances Arbitrary Code Execution
vulncheck·2022·CVSS 9.8
CVE-2022-26318 [CRITICAL] CWE-122 WatchGuard Firebox and XTM Appliances Arbitrary Code Execution
WatchGuard Firebox and XTM Appliances Arbitrary Code Execution
On WatchGuard Firebox and XTM appliances, an unauthenticated user can execute arbitrary code.
Affected: WatchGuard Firebox and XTM Appliances
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.greynoise.io/blog/watchguard-cve-2022-26318-rce-detection-iocs-and-prevention-for-defenders; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://aws.amazon.com/blogs/security/amazon-threat-intelligence-identifies-russian-cyber-threat-group-targeting-western-critical-infrastructure/; https://ics-cert.kaspersky.com/publications/reports/2026/03/06/apt-and-financial-attacks-on-industrial-organizations-in-q4-2025/
Exploit PoC: https://vulncheck.com/xdb/d133
CISA
WatchGuard Firebox and XTM Appliances Arbitrary Code Execution
cisa·2022-03-25·CVSS 9.8
CVE-2022-26318 [CRITICAL] CWE-122 WatchGuard Firebox and XTM Appliances Arbitrary Code Execution
Vulnerability: WatchGuard Firebox and XTM Appliances Arbitrary Code Execution
Affected: WatchGuard Firebox and XTM Appliances
On WatchGuard Firebox and XTM appliances, an unauthenticated user can execute arbitrary code.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2022-26318
Remediation Due Date: 2022-04-15
Suricata
ET EXPLOIT WatchGuard CVE-2022-26318 RCE Attempt M1
suricata·2022-03-29·CVSS 9.8
CVE-2022-26318 [CRITICAL] ET EXPLOIT WatchGuard CVE-2022-26318 RCE Attempt M1
ET EXPLOIT WatchGuard CVE-2022-26318 RCE Attempt M1
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT WatchGuard CVE-2022-26318 RCE Attempt M1"; flow:established,to_server; http.request_line; content:"POST /agent/login"; startswith; nocase; http.request_body; content:"|3c|methodName|3e|"; content:"login|3c 2f|methodName|3e|"; within:50; fast_pattern; nocase; content:"|3c|member|3e 3c|value|3e 3c|"; distance:0; nocase; content:!"|3e|"; within:400; reference:url,www.greynoise.io/blog/watchguard-cve-2022-26318-rce-detection-iocs-and-prevention-for-defenders; reference:cve,2022-26318; classtype:attempted-admin; sid:2035633; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_03_29, cve CVE_2022_26318, deployment Perimeter, deployment Internal, deployme
Suricata
ET EXPLOIT WatchGuard CVE-2022-26318 RCE Attempt M2
suricata·2022-03-29·CVSS 9.8
CVE-2022-26318 [CRITICAL] ET EXPLOIT WatchGuard CVE-2022-26318 RCE Attempt M2
ET EXPLOIT WatchGuard CVE-2022-26318 RCE Attempt M2
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT WatchGuard CVE-2022-26318 RCE Attempt M2"; flow:established,to_server; http.request_line; content:"POST /agent/login"; startswith; fast_pattern; http.content_len; byte_test:0,>,450,0,string,dec; http.request_body; content:"|3c|methodName|3e|"; nocase; content:"login|3c 2f|methodName|3e|"; within:50; nocase; reference:url,attackerkb.com/topics/t8Nrnu99ZE/cve-2022-26318; reference:url,www.greynoise.io/blog/watchguard-cve-2022-26318-rce-detection-iocs-and-prevention-for-defenders; reference:cve,2022-26318; classtype:attempted-admin; sid:2035634; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_03_29, cve CVE_2022_26318, deployment Perimeter, deploy
Suricata
ET EXPLOIT Possible WatchGuard CVE-2022-26318 RCE Attempt M3
suricata·2022-03-29·CVSS 9.8
CVE-2022-26318 [CRITICAL] ET EXPLOIT Possible WatchGuard CVE-2022-26318 RCE Attempt M3
ET EXPLOIT Possible WatchGuard CVE-2022-26318 RCE Attempt M3
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible WatchGuard CVE-2022-26318 RCE Attempt M3"; flow:established,to_server; http.request_line; content:"POST /agent/login"; startswith; fast_pattern; http.content_len; byte_test:0,>,450,0,string,dec; http.request_header; header_lowercase; content:"content-encoding|3a 20|gzip"; startswith; http.request_body; content:"|1f 8b|"; startswith; reference:url,attackerkb.com/topics/t8Nrnu99ZE/cve-2022-26318; reference:url,www.greynoise.io/blog/watchguard-cve-2022-26318-rce-detection-iocs-and-prevention-for-defenders; reference:cve,2022-26318; classtype:attempted-admin; sid:2035635; rev:3; metadata:attack_target Networking_Equipment, created_at 2022_03_29, cve
Greynoiseio
GreyNoise
blogs_greynoiseio
GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
WatchGuard CVE-2022-26318 RCE Detection, IOCs, and Prevention for Defenders
blogs_greynoiseio·CVSS 9.8
[CRITICAL] WatchGuard CVE-2022-26318 RCE Detection, IOCs, and Prevention for Defenders
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://www.watchguard.com/support/release-notes/fireware/12/en-US/EN_ReleaseNotes_Fireware_12_7_2/index.html#Fireware/en-US/resolved_issues.htmlhttps://www.watchguard.com/support/release-notes/fireware/12/en-US/EN_ReleaseNotes_Fireware_12_7_2/index.html#Fireware/en-US/resolved_issues.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26318
2022-03-04
Published
2022-03-25
Added to CISA KEV
Exploited in the wild