Description
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS (ConnectWise Technology Integration module) allows Stored XSS. This vulnerability is an additional unmitigated attack path for CVE-2025-13937.


This issue affects Fireware OS 12.4 up to and including 12.12, 12.5 up to and including 12.5.18, and 2025.1 up to and including 2026.2.
Published: 2026-07-02
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an improper neutralization of input during web page generation in the ConnectWise Technology Integration configuration of WatchGuard Fireware OS. The flaw allows attackers to inject JavaScript that is stored and later rendered in the web interface, enabling stored cross‑site scripting. The primary impact is that an attacker can run arbitrary scripts in the browser context of any user who views the infected configuration, potentially leading to credential theft, session hijacking, or defacement of the management console. The weakness is identified as CWE‑79.

Affected Systems

Affected products are WatchGuard Fireware OS. Vulnerable releases include version 12.4 through 12.12, 12.5 through 12.5.18, and 2025.1 through 2026.2.

Risk and Exploitability

The CVSS base score is 4.8, indicating moderate severity. EPSS is not available and the vulnerability is not listed in CISA KEV. Because the flaw requires an authenticated user with privileges to modify the ConnectWise Technology Integration settings, the likelihood of exploitation without such credentials is limited. However, if privileged access is gained, stored XSS can be leveraged to execute malicious code on any browser that displays the compromised configuration.

Generated by OpenCVE AI on July 3, 2026 at 03:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest WatchGuard Fireware OS firmware that fixes CVE-2026-13374.
  • Remove or cleanse any stored configuration entries that contain malicious scripts.
  • Restrict privileged access to the ConnectWise Technology Integration module or disable the integration if not required.

Generated by OpenCVE AI on July 3, 2026 at 03:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 23:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS (ConnectWise Technology Integration module) allows Stored XSS. This vulnerability is an additional unmitigated attack path for CVE-2025-13937. This issue affects Fireware OS 12.4 up to and including 12.12, 12.5 up to and including 12.5.18, and 2025.1 up to and including 2026.2.
Title WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in ConnectWise Technology Integration Configuration
First Time appeared Watchguard
Watchguard fireware Os
Weaknesses CWE-79
CPEs cpe:2.3:a:watchguard:fireware_os:*:*:*:*:*:*:*:12.4
cpe:2.3:a:watchguard:fireware_os:*:*:*:*:*:*:*:12.5
cpe:2.3:a:watchguard:fireware_os:*:*:*:*:*:*:*:2025.1
Vendors & Products Watchguard
Watchguard fireware Os
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}


Subscriptions

Watchguard Fireware Os
cve-icon MITRE

Status: PUBLISHED

Assigner: WatchGuard

Published:

Updated: 2026-07-02T23:05:13.056Z

Reserved: 2026-06-25T20:31:06.991Z

Link: CVE-2026-13374

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-03T03:15:03Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')