CVE-2022-26318
Published: 04 March 2022
Summary
CVE-2022-26318 is a critical-severity an unspecified weakness vulnerability in Watchguard Fireware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2022-26318 is an unauthenticated remote code execution vulnerability affecting WatchGuard Firebox and XTM appliances running Fireware OS versions prior to 12.7.2_U2, 12.1.3_U8, and 12.5.9_U2. The flaw permits an attacker to execute arbitrary code on the device without requiring credentials or user interaction, reflected in its CVSS 3.1 base score of 9.8.
An unauthenticated remote attacker can exploit the issue over the network to achieve full compromise of the appliance, including the ability to read, modify, or delete data and to alter device behavior. Because the attack requires no authentication or special preconditions, it can be launched from anywhere with network reachability to the management or exposed interfaces.
WatchGuard’s Fireware 12.7.2 release notes list the issue as resolved under FBX-22786 and direct customers to upgrade to the fixed builds. CISA has added CVE-2022-26318 to its Known Exploited Vulnerabilities catalog, confirming that the flaw has been observed in active exploitation campaigns.
The EPSS score remains consistently high near 0.93, indicating sustained exploitation interest after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-30879
Vulnerability details
On WatchGuard Firebox and XTM appliances, an unauthenticated user can execute arbitrary code, aka FBX-22786. This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x before 12.5.9_U2.
- CWE(s)
- KEV Date Added
- 25 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of vendor patches that close the unauthenticated RCE flaw in Fireware OS versions listed in the CVE.
Mandates vulnerability scanning that would identify the exact unpatched Fireware OS releases (prior to 12.7.2_U2, 12.1.3_U8, 12.5.9_U2) known to contain FBX-22786.
Requires integrity verification of firmware images and running code, which can block or detect unauthorized modifications resulting from successful exploitation of the RCE.