CVE-2026-13368
WatchGuard · Fireware OS
A use-after-free race condition in WatchGuard Fireware OS allows unauthenticated remote attackers to execute arbitrary code via the IKEv2 Mobile VPN.
Executive summary
A critical use-after-free vulnerability in the WatchGuard Fireware OS LDAP authentication process allows unauthenticated attackers to achieve remote code execution.
Vulnerability
This is a race condition leading to a use-after-free vulnerability within the LDAP authentication module for IKEv2 VPNs. An unauthenticated remote attacker can trigger this flaw to execute code within the context of the 'iked' service.
Business impact
The CVSS score of 9.2 highlights the critical nature of this vulnerability, as it allows for unauthenticated remote code execution on edge networking hardware. Compromise of a VPN gateway provides an attacker with a foothold into the internal network, potentially leading to widespread lateral movement and full data exfiltration.
Remediation
Immediate Action: Upgrade all affected WatchGuard Fireware OS devices to the latest patched version provided by the vendor immediately.
Proactive Monitoring: Review VPN session logs for unusual connection attempts or crashes of the 'iked' process, which may indicate an exploitation attempt.
Compensating Controls: If patching is not immediately feasible, restrict access to the VPN gateway to known, trusted IP addresses and consider disabling IKEv2 if a viable alternative authentication method exists.
Exploitation status
Public Exploit Available: N/A
Analyst recommendation
This vulnerability is highly critical due to the potential for remote code execution on a security appliance. It is imperative that administrators prioritize the firmware update to secure the perimeter and prevent unauthorized access to the internal network.