Cyber Resilience

CVE-2022-23176

HighCISA KEVActive ExploitationEUVD Exploited

Published: 24 February 2022

Published
24 February 2022
Modified
03 November 2025
KEV Added
11 April 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1017 93.3th percentile
Risk Priority 44 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-23176 is a high-severity an unspecified weakness vulnerability in Watchguard Fireware. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 6.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

WatchGuard Firebox and XTM appliances running Fireware OS versions prior to 12.7.2_U1, 12.x before 12.1.3_U3, and 12.2.x through 12.5.x before 12.5.7_U3 contain an authorization bypass in the management interface. The flaw permits a remote attacker who already possesses unprivileged credentials to obtain a privileged management session when management access is exposed to the network.

An attacker with low-privileged credentials can exploit the issue over the network without user interaction to achieve full administrative control, resulting in high impact to confidentiality, integrity, and availability as reflected in the CVSS 8.8 score. This effectively allows escalation from a limited account to complete device compromise.

Vendor release notes direct customers to apply the listed Fireware updates that correct the session-handling weakness. Public reporting indicates the vulnerability was exploited in the wild by Russian threat actors before WatchGuard issued a complete advisory, and the current EPSS score of 0.1017 reflects sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access. This vulnerability impacts Fireware OS before 12.7.2_U1, 12.x before 12.1.3_U3, and 12.2.x through 12.5.x before…

more

12.5.7_U3.

CWE(s)
KEV Date Added
11 April 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

watchguard
fireware
12.1.3, 12.5.7, 12.7.2 · 12.0.0 — 12.1.3 · 12.2.0 — 12.5.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces that unprivileged credentials cannot obtain a privileged management session on the exposed interface.

prevent

Limits accounts to the minimum privileges required, reducing the impact of any successful authentication bypass to full administrative control.

prevent

Requires prompt application of vendor patches that close the authentication bypass in the cited Fireware releases.

References