Description
An authenticated administrator can trigger a denial-of-service condition in the Fireware Management Web UI by sending malformed or crafted data to the put_data endpoint, which performs unsafe deserialization of the attacker-supplied input.
Published: 2026-07-02
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated administrator can trigger a denial‑of‑service condition in the Fireware Management Web UI by sending malformed data to the put_data endpoint. The vulnerability stems from unsafe deserialization of attacker‑supplied input, allowing the application to consume corrupted objects and halt processing. The resulting disruption affects the availability of the web UI and any services that rely on it, potentially preventing administrators from performing management tasks.

Affected Systems

The flaw affects WatchGuard Fireware OS on versions 12.0, 12.5, and 2025.1.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium‑to‑high severity. EPSS is not available, so the likelihood of exploitation cannot be quantified, and the vulnerability is not listed in CISA's KEV catalog. The attack requires an authenticated administrator‑level user and can be carried out over the web interface, which makes it a web‑based attack vector. An attacker who gains or already possesses administrative credentials can send crafted requests to trigger the denial‑of‑service condition without needing additional privileges.

Generated by OpenCVE AI on July 3, 2026 at 03:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Fireware OS update that addresses the unsafe deserialization issue
  • If an update is unavailable, restrict write access to the put_data endpoint to trusted users only or block the endpoint via a firewall rule
  • Monitor HTTP traffic for anomalous POST requests to the put_data endpoint and generate alerts

Generated by OpenCVE AI on July 3, 2026 at 03:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 23:30:00 +0000

Type Values Removed Values Added
Description An authenticated administrator can trigger a denial-of-service condition in the Fireware Management Web UI by sending malformed or crafted data to the put_data endpoint, which performs unsafe deserialization of the attacker-supplied input.
Title WatchGuard Firebox Management Web UI Denial of Service via Unsafe Deserialization
First Time appeared Watchguard
Watchguard fireware Os
Weaknesses CWE-502
CPEs cpe:2.3:a:watchguard:fireware_os:*:*:*:*:*:*:*:12.0
cpe:2.3:a:watchguard:fireware_os:*:*:*:*:*:*:*:12.5
cpe:2.3:a:watchguard:fireware_os:*:*:*:*:*:*:*:2025.1
Vendors & Products Watchguard
Watchguard fireware Os
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Watchguard Fireware Os
cve-icon MITRE

Status: PUBLISHED

Assigner: WatchGuard

Published:

Updated: 2026-07-02T23:04:42.674Z

Reserved: 2026-06-25T19:43:53.207Z

Link: CVE-2026-13371

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-03T03:15:03Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data