Cyber Resilience

CVE-2022-26318

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 04 March 2022

Published
04 March 2022
Modified
13 November 2025
KEV Added
25 March 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9255 99.8th percentile
Risk Priority 95 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-26318 is a critical-severity an unspecified weakness vulnerability in Watchguard Fireware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2022-26318 is an unauthenticated remote code execution vulnerability affecting WatchGuard Firebox and XTM appliances running Fireware OS versions prior to 12.7.2_U2, 12.1.3_U8, and 12.5.9_U2. The flaw permits an attacker to execute arbitrary code on the device without requiring credentials or user interaction, reflected in its CVSS 3.1 base score of 9.8.

An unauthenticated remote attacker can exploit the issue over the network to achieve full compromise of the appliance, including the ability to read, modify, or delete data and to alter device behavior. Because the attack requires no authentication or special preconditions, it can be launched from anywhere with network reachability to the management or exposed interfaces.

WatchGuard’s Fireware 12.7.2 release notes list the issue as resolved under FBX-22786 and direct customers to upgrade to the fixed builds. CISA has added CVE-2022-26318 to its Known Exploited Vulnerabilities catalog, confirming that the flaw has been observed in active exploitation campaigns.

The EPSS score remains consistently high near 0.93, indicating sustained exploitation interest after public disclosure.

EU & UK References

Vulnerability details

On WatchGuard Firebox and XTM appliances, an unauthenticated user can execute arbitrary code, aka FBX-22786. This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x before 12.5.9_U2.

CWE(s)
KEV Date Added
25 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

watchguard
fireware
12.1.3, 12.5.9, 12.7.2 · 12.0.0 — 12.1.3 · 12.5 — 12.5.9 · 12.7.0 — 12.7.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of vendor patches that close the unauthenticated RCE flaw in Fireware OS versions listed in the CVE.

detect

Mandates vulnerability scanning that would identify the exact unpatched Fireware OS releases (prior to 12.7.2_U2, 12.1.3_U8, 12.5.9_U2) known to contain FBX-22786.

preventdetect

Requires integrity verification of firmware images and running code, which can block or detect unauthorized modifications resulting from successful exploitation of the RCE.

References