Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-13374

CVE-2026-13374: WatchGuard Fireware Stored XSS Vulnerability

CVE-2026-13374 is a stored cross-site scripting vulnerability in WatchGuard Fireware OS ConnectWise module that enables attackers to inject malicious scripts. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-13374 Overview

CVE-2026-13374 is a stored cross-site scripting (XSS) vulnerability in the ConnectWise Technology Integration module of WatchGuard Fireware OS. The flaw stems from improper neutralization of user-supplied input during web page generation [CWE-79]. WatchGuard identifies this issue as an additional unmitigated attack path for CVE-2025-13937, meaning prior remediation efforts did not close every exploitable vector.

An authenticated attacker with high privileges can inject persistent script content that executes in the browser of another administrator who views the affected page. Successful exploitation requires user interaction, but the payload persists on the appliance until removed.

Critical Impact

An authenticated attacker can inject stored JavaScript into the Fireware management interface, enabling session-context actions against other administrators who load the poisoned page.

Affected Products

  • WatchGuard Fireware OS 12.4 through 12.12
  • WatchGuard Fireware OS 12.5 through 12.5.18
  • WatchGuard Fireware OS 2025.1 through 2026.2 (Firebox M-series, T-series, NV5, FireboxV, FireboxCloud)

Discovery Timeline

  • 2026-07-03 - CVE-2026-13374 published to NVD
  • 2026-07-09 - Last updated in NVD database

Technical Details for CVE-2026-13374

Vulnerability Analysis

The vulnerability resides in the ConnectWise Technology Integration module of Fireware OS. This module handles integration data used to link Firebox appliances with ConnectWise remote monitoring and management (RMM) workflows. The module fails to neutralize special characters in input fields before rendering them in the administrative web interface.

Because the injected content is persisted in appliance configuration or state, the attack is classified as stored (persistent) XSS rather than reflected. Any administrator who navigates to the affected view will execute the attacker-controlled script in the trust context of the Fireware management UI. This can be leveraged to perform actions on behalf of the victim administrator, tamper with rendered configuration data, or pivot into further management-plane abuse.

WatchGuard notes this issue is a residual attack path left open after the fix for CVE-2025-13937. The EPSS score is 0.292% (21.06 percentile) as of the 2026-07-09 assessment.

Root Cause

The root cause is missing or insufficient output encoding of ConnectWise integration parameters when they are inserted into HTML responses rendered by the Fireware management interface. Prior remediation for CVE-2025-13937 addressed one input path, but at least one field or code path in the same module continued to render untrusted input without adequate contextual escaping.

Attack Vector

Exploitation requires network access to the Fireware management interface and authenticated access with high privileges (PR:H). The attacker submits a payload through the ConnectWise Technology Integration module. The payload is stored server-side. When a legitimate administrator later views the affected page, the browser executes the injected script under the origin of the management UI. User interaction is required (UI:P) because a victim administrator must load the poisoned view.

The vulnerability does not directly impact vulnerable-system confidentiality, integrity, or availability, but it does affect subsequent-system confidentiality and integrity within the administrator's browser context.

Detection Methods for CVE-2026-13374

Indicators of Compromise

  • Unexpected <script>, onerror, onload, or JavaScript URI content inside ConnectWise integration configuration fields stored on Firebox appliances.
  • Administrator sessions performing configuration changes that do not correlate with legitimate admin activity or ticketed changes.
  • Browser console errors or Content Security Policy violations logged when loading the ConnectWise integration view in the Fireware UI.

Detection Strategies

  • Audit stored ConnectWise Technology Integration fields for HTML metacharacters (<, >, ", ') and JavaScript keywords such as script, onerror, javascript:.
  • Review Fireware audit logs for write operations to ConnectWise integration settings performed by any high-privilege account, correlating against change management records.
  • Compare running Fireware OS versions against the affected ranges (12.4–12.12, 12.5–12.5.18, 2025.1–2026.2) to identify exposure.

Monitoring Recommendations

  • Restrict and log access to the Fireware management interface, alerting on administrative logins from unexpected source addresses or outside maintenance windows.
  • Forward Firebox audit and authentication events to a central data lake or SIEM to correlate admin activity with configuration changes in the ConnectWise module.
  • Monitor administrator workstations for anomalous browser-originated requests to the Firebox management interface following a session with the ConnectWise integration page.

How to Mitigate CVE-2026-13374

Immediate Actions Required

  • Apply the fixed Fireware OS release referenced in WatchGuard Security Advisory WGSA-2026-00016 as soon as available.
  • Restrict access to the Firebox management interface to a dedicated management network and trusted administrator hosts only.
  • Review and remove any suspicious content stored in ConnectWise Technology Integration configuration fields.
  • Rotate credentials for high-privilege Fireware administrator accounts if abuse of the ConnectWise module is suspected.

Patch Information

Refer to WatchGuard Security Advisory WGSA-2026-00016 for the specific Fireware OS fixed versions and upgrade guidance. This advisory supersedes the mitigation associated with CVE-2025-13937, which did not fully close the affected code path.

Workarounds

  • Disable the ConnectWise Technology Integration module on Firebox appliances that do not require it until a patched Fireware OS release is deployed.
  • Enforce role separation so that only a minimal set of administrators can modify integration module settings, reducing the number of accounts that could inject a stored payload.
  • Require administrators to use isolated, hardened browsers or dedicated management workstations when accessing the Fireware UI to limit the impact of stored script execution.
bash
# Configuration example
# Restrict Fireware management access to a dedicated admin subnet
# (adjust interfaces and subnets to match your environment)
policy management-access
  from 10.10.50.0/24
  to firebox
  service HTTPS
  action allow

policy management-access-default
  from any
  to firebox
  service HTTPS
  action deny

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.