CVE-2026-13377 Overview
CVE-2026-13377 is a stored Cross-Site Scripting (XSS) vulnerability in the SIP Proxy module of WatchGuard Fireware OS [CWE-79]. The flaw stems from improper neutralization of user-controlled input during web page generation. WatchGuard identifies this issue as an additional unmitigated attack path for CVE-2025-6947, meaning the prior fix did not fully address the underlying injection surface.
An authenticated attacker with high privileges can inject persistent script payloads that execute in the browser context of subsequent administrators viewing the affected pages. The vulnerability affects Fireware OS 12.0 through 12.12, 12.5 through 12.5.18, and 2025.1 through 2026.2 across the Firebox appliance line and FireboxV/FireboxCloud virtual editions.
Critical Impact
Successful exploitation enables persistent script execution within the Fireware management interface, allowing session abuse and administrative actions against firewall configuration.
Affected Products
- WatchGuard Fireware OS 12.0 through 12.12
- WatchGuard Fireware OS 12.5 through 12.5.18
- WatchGuard Fireware OS 2025.1 through 2026.2 (Firebox M-series, T-series, NV5, FireboxV, FireboxCloud)
Discovery Timeline
- 2026-07-03 - CVE-2026-13377 published to NVD
- 2026-07-09 - Last updated in NVD database
Technical Details for CVE-2026-13377
Vulnerability Analysis
The SIP Proxy module in Fireware OS processes and renders SIP-related configuration or traffic metadata within the Firebox management web interface. Data flowing through this module is stored and later rendered without adequate output encoding, permitting stored XSS.
Because this is a stored variant, injected payloads persist in the appliance state and trigger every time an administrator loads the affected view. The advisory explicitly notes that this vulnerability is an additional unmitigated attack path for CVE-2025-6947, indicating that the earlier remediation missed at least one sink or input path in the same module.
Exploitation requires an attacker who already holds high privileges on the Firebox and requires user interaction from a victim administrator loading the affected page. The scope is limited to browser-side effects, but those effects execute inside the Fireware management origin.
Root Cause
The root cause is missing or incomplete contextual output encoding in the SIP Proxy rendering path. Input data that traverses the SIP Proxy is stored in appliance state and later reflected into HTML without sanitization sufficient for the rendering context, violating the CWE-79 control.
Attack Vector
The attack vector is network-based against the Firebox management interface. A privileged attacker plants a payload through the SIP Proxy configuration or associated data path. When another administrator views the impacted management page, the browser parses the stored payload as script and executes it against the Fireware web UI, enabling actions such as configuration tampering or session token abuse in the victim's browser.
No public proof-of-concept, exploit code, or CISA KEV listing is currently associated with CVE-2026-13377.
Detection Methods for CVE-2026-13377
Indicators of Compromise
- Unexpected HTML tags, <script> fragments, or JavaScript event handlers stored in SIP Proxy policy names, aliases, or related SIP configuration fields.
- Administrator browser sessions producing anomalous outbound requests to unknown hosts immediately after loading Firebox management pages.
- Unauthorized configuration changes to firewall policies performed from a legitimate administrator's session shortly after they accessed the SIP Proxy views.
Detection Strategies
- Audit stored Fireware configuration data for HTML metacharacters (<, >, ", ') and JavaScript keywords in fields that should contain only alphanumeric identifiers.
- Inspect browser and web proxy logs for management-console pages sourcing script or fetch requests to external domains.
- Correlate administrator login events with subsequent privileged configuration changes to detect script-driven actions triggered by stored payloads.
Monitoring Recommendations
- Forward Fireware audit logs and management-plane access logs to a centralized SIEM and alert on out-of-band configuration changes.
- Restrict management interface access to a dedicated administrative network and monitor for connections from unexpected sources.
- Track versions in inventory tooling to flag any Firebox running Fireware 12.0–12.12, 12.5–12.5.18, or 2025.1–2026.2.
How to Mitigate CVE-2026-13377
Immediate Actions Required
- Apply the fixed Fireware OS release referenced in the WatchGuard Security Advisory WGSA-2026-00019 as soon as it is available for your platform.
- Restrict access to the Firebox web management interface to trusted administrative subnets only.
- Review SIP Proxy configuration entries and remove any fields containing HTML or script content.
- Rotate administrative credentials and invalidate active management sessions after patching.
Patch Information
WatchGuard has published remediation guidance in WGSA-2026-00019. Administrators should upgrade to the fixed Fireware OS branch identified for their release track (12.x, 12.5.x, or 2025.x/2026.x) as specified in the vendor advisory. Because CVE-2026-13377 addresses an unmitigated path from CVE-2025-6947, appliances patched only for the earlier CVE remain vulnerable.
Workarounds
- Disable the SIP Proxy policy where it is not required for business traffic.
- Enforce the principle of least privilege for Fireware administrator roles to reduce the pool of accounts capable of injecting stored payloads.
- Require administrators to access the Firebox web UI from isolated management browsers that do not share cookies or credentials with other applications.
# Configuration example: restrict Firebox management access to a trusted subnet
# (Apply through Policy Manager or Web UI)
policy: WatchGuard-Web-UI
from: 10.10.0.0/24 # trusted admin subnet only
to: Firebox
action: Allowed
log: enabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

