Overview
CVE-2025-6946 details a stored Cross-Site Scripting (XSS) vulnerability affecting WatchGuard Fireware OS. This vulnerability resides within the Intrusion Prevention System (IPS) module. A successful exploit could allow an authenticated administrator to inject malicious scripts that execute within the context of other administrator sessions. This vulnerability necessitates an authenticated administrator session to a locally managed Firebox.
Technical Details
The vulnerability stems from improper neutralization of input during web page generation within the IPS module’s configuration interface. An attacker with administrator privileges can inject arbitrary JavaScript code into a field that is later displayed to other administrators. This injected script can then execute malicious actions, such as stealing session cookies, modifying configuration settings, or performing other unauthorized actions on behalf of the compromised administrator.
Specifically, the vulnerability exists in Firebox devices running Fireware OS versions 12.0 through 12.11.2.
CVSS Analysis
At the time of publication, a CVSS score is not yet available. However, given that this is a Stored XSS vulnerability requiring administrator access and potentially allowing for privilege escalation and data compromise, the severity is likely to be rated as Medium to High. A full CVSS analysis will be provided once available.
Possible Impact
Exploitation of this vulnerability can lead to the following:
- Account Takeover: An attacker could steal administrator session cookies, gaining persistent access to the Firebox device.
- Configuration Modification: The attacker could modify firewall rules, VPN settings, and other critical configurations, potentially compromising network security.
- Data Exfiltration: Malicious scripts could be used to exfiltrate sensitive data from the Firebox device or connected networks.
- Denial of Service: The attacker could disrupt normal Firebox operations, leading to a denial of service for network users.
Mitigation or Patch Steps
WatchGuard has released a patch to address this vulnerability. It is strongly recommended that all users running affected versions of Fireware OS upgrade to a patched version as soon as possible.
To mitigate the risk before patching, carefully validate and sanitize any input provided to the IPS module configuration and restrict access to the Firebox management interface to trusted administrators only.
Please consult the official WatchGuard advisory (linked below) for specific upgrade instructions and recommended versions.
