CVE-2026-3342
Published: 03 March 2026
Summary
CVE-2026-3342 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Watchguard Fireware. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 49.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SC-7 (Boundary Protection).
Deeper analysis
CVE-2026-3342 is an out-of-bounds write vulnerability (CWE-787) in WatchGuard Fireware OS that enables an authenticated privileged administrator to execute arbitrary code with root permissions through an exposed management interface. The issue affects Fireware OS versions 11.9 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.7, and 2025.1 up to and including 2026.1.1. It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts.
Exploitation requires an attacker to possess authenticated privileged administrator credentials and network access to the exposed management interface. Successful exploitation allows arbitrary code execution with root privileges on the affected device, potentially leading to full compromise of the firewall.
For mitigation details, refer to the WatchGuard PSIRT advisory at https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00003.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9288
Vulnerability details
An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow an authenticated privileged administrator to execute arbitrary code with root permissions via an exposed management interface. This vulnerability affects Fireware OS 11.9 up to and including 11.12.4_Update1, 12.0 up to…
more
and including 12.11.7 and 2025.1 up to and including 2026.1.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds write in exposed management interface allows authenticated admin to escalate directly to root-level arbitrary code execution on the firewall OS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Restricts network exposure of the Fireware management interface, directly blocking the required attack vector for the out-of-bounds write.
Limits assignment of privileged administrator accounts that are required to trigger arbitrary code execution with root privileges.
Mandates timely installation of WatchGuard patches that remediate the CWE-787 flaw in affected Fireware versions.