Impact
This vulnerability, identified as an improper neutralization of input during web page generation (CWE‑79), allows stored cross‑site scripting injection into the spamBlocker module of WatchGuard Fireware OS. An attacker who can inject malicious JavaScript into spamBlocker settings can cause that code to run whenever an affected user views the compromised configuration page, potentially leading to session hijacking, credential theft, or further network compromise. The flaw is a stored XSS, providing a persistent attack vector that can affect anyone who accesses the affected web UI and is an additional unmitigated path for CVE‑2025‑1071.
Affected Systems
Observed affected releases include WatchGuard Fireware OS 12.0 through 12.12, 12.5 through 12.5.18, and 2025.1 through 2026.2. Systems running any of these versions should review their configuration for risk.
Risk and Exploitability
The CVSS score of 4.8 indicates a moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that there are currently no known widespread exploits in the wild. Attackers would need to supply a crafted configuration via the spamBlocker module, which likely requires privileged administrative access to the Fireware OS web interface. The stored nature of the fault means the impact persists until the configuration is cleaned or the system is patched. The likely attack vector is a privileged authenticated user who can modify spamBlocker settings; this inference is based on the fact that the vulnerability exists in the web UI configuration module.
OpenCVE Enrichment