CVE-2026-13084

WatchGuard · Fireware OS

A null pointer dereference in WatchGuard Fireware OS allows unauthenticated remote attackers to trigger a denial-of-service via crafted IKEv2 messages.

Executive summary

A critical denial-of-service vulnerability in WatchGuard Fireware OS allows unauthenticated remote attackers to crash network security appliances.

Vulnerability

This vulnerability is a null pointer dereference occurring during the processing of IKEv2 messages. It can be triggered by a remote, unauthenticated attacker who sends specially crafted packets to the appliance, causing the system to crash or become unresponsive.

Business impact

The CVSS score of 8.7 highlights the severe risk to perimeter security. If an attacker successfully forces a crash of the firewall, the organization’s network defenses are neutralized, resulting in a total loss of visibility, security, and potential system downtime.

Remediation

Immediate Action: Apply the latest firmware updates for WatchGuard Fireware OS to all affected network appliances immediately.

Proactive Monitoring: Monitor firewall health status, CPU load, and system logs for signs of sudden reboots or abnormal IKEv2 processing errors.

Compensating Controls: If immediate patching is not feasible, restrict IKEv2 traffic to known, trusted peer IP addresses at the edge to reduce the attack surface.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The high CVSS score and the nature of this vulnerability as a remote, unauthenticated denial-of-service attack make it a high priority for remediation. Network administrators must treat this as an urgent task to maintain the stability and security of their network perimeter.