CVE-2026-13383
WatchGuard · Fireware OS
An Out-of-bounds Write vulnerability in the WatchGuard Fireware OS ikestubd process allows authenticated privileged users to execute arbitrary code via crafted Management Web UI requests.
Executive summary
An authenticated privileged user can exploit an out-of-bounds write vulnerability in the WatchGuard Fireware OS ikestubd process to execute arbitrary code.
Vulnerability
This vulnerability affects the ikestubd process, which handles IKE/IPsec-related tasks. It is reachable via the Management Web UI and requires the attacker to have authenticated privileged access to the system to trigger the out-of-bounds write.
Business impact
With a CVSS score of 8.6, this vulnerability represents a significant risk to the security of VPN and IPsec tunnels managed by the device. Exploitation could lead to the complete takeover of the appliance, exposing encrypted traffic and internal network segments to unauthorized actors.
Remediation
Immediate Action: Update the Fireware OS to the latest version provided by WatchGuard to mitigate the vulnerability in the ikestubd process.
Proactive Monitoring: Inspect system logs for unusual restarts of the ikestubd process or errors related to memory management.
Compensating Controls: Limit access to the Management Web UI to authenticated administrators from a secure, hardened management network.
Exploitation status
Public Exploit Available: false
Analyst recommendation
The severity of this vulnerability necessitates immediate attention. Security teams should prioritize patching affected WatchGuard devices and ensure that administrative access is strictly controlled to mitigate the risk posed by potential privilege escalation or lateral movement within the network.