Attackers can attack WatchGuard Firebox web interface

Under certain conditions, attackers can attack WatchGuard Firebox. This can lead to malware entering systems. WatchGuard Dimension and WebBlockerServer are vulnerable via a Linux kernel vulnerability. Security updates are available for download. So far, there are no reports of attackers exploiting the vulnerabilities.

Malware attacks possible

As stated in a warning message, remote attackers can exploit a vulnerability (CVE-2026-3987 "high") in the Fireware OS Web UI of Firebox firewalls to execute malicious code in the context of a system process with elevated privileges. However, this only works if attackers are already authenticated.

According to the developers, Fireware OS 12.6.1 up to and including 12.11.8 and 2025.1 up to and including 2026.1.2 are affected. WatchGuard lists the specifically affected models in the warning message. Versions 12.12 and 2026.2 provide a remedy.

Root vulnerability

Dimension v2.3 and WebBlockerServer v2.1 run on an Ubuntu version affected by two Linux kernel vulnerabilities (CVE-2026-23268 "high", CVE-2026-23269 "high") in the Linux Mandatory Access Control (MAC) Framework AppArmor. According to the description of the vulnerabilities, an attacker needs access to the local file system. If this is the case, they can escalate to the root user and thus execute a DoS attack, for example. As a rule, attackers also gain full control over successfully attacked systems as root. How such an attack could proceed in detail is currently unclear.

To update the Linux kernel for both WatchGuard products, administrators must follow the instructions in a support article.

(des)