CVE-2022-23176
Published: 24 February 2022
Summary
CVE-2022-23176 is a high-severity an unspecified weakness vulnerability in Watchguard Fireware. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 6.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
WatchGuard Firebox and XTM appliances running Fireware OS versions prior to 12.7.2_U1, 12.x before 12.1.3_U3, and 12.2.x through 12.5.x before 12.5.7_U3 contain an authorization bypass in the management interface. The flaw permits a remote attacker who already possesses unprivileged credentials to obtain a privileged management session when management access is exposed to the network.
An attacker with low-privileged credentials can exploit the issue over the network without user interaction to achieve full administrative control, resulting in high impact to confidentiality, integrity, and availability as reflected in the CVSS 8.8 score. This effectively allows escalation from a limited account to complete device compromise.
Vendor release notes direct customers to apply the listed Fireware updates that correct the session-handling weakness. Public reporting indicates the vulnerability was exploited in the wild by Russian threat actors before WatchGuard issued a complete advisory, and the current EPSS score of 0.1017 reflects sustained exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-28267
Vulnerability details
WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access. This vulnerability impacts Fireware OS before 12.7.2_U1, 12.x before 12.1.3_U3, and 12.2.x through 12.5.x before…
more
12.5.7_U3.
- CWE(s)
- KEV Date Added
- 11 April 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces that unprivileged credentials cannot obtain a privileged management session on the exposed interface.
Limits accounts to the minimum privileges required, reducing the impact of any successful authentication bypass to full administrative control.
Requires prompt application of vendor patches that close the authentication bypass in the cited Fireware releases.