A flaw in WatchGuard Fireware OS permits bypassing the operating system’s filesystem integrity verification, enabling an attacker to load a malicious firmware update package that retains limited persistence on the device. The weakness is a classic integrity bypass (CWE‑440) and compromises the assurance that firmware has not been altered, potentially allowing the attacker to modify critical system files or install additional malicious code. While the impact does not guarantee full remote code execution, the ability to persist on the system can be leveraged for long‑term reconnaissance or lateral movement within a network.

The vulnerability affects WatchGuard Fireware OS versions 12.0 through 12.11.7, 12.5.9 through 12.5.16, and 2025.1 through 2026.1.1, which run on a wide range of Firebox hardware models including the M270, M290, M295, M370, M390, M395, M440, M4600, M470, M4800, M495, M5600, M570, M5800, M590, M595, M670, M690, M695, NV5, T115‑W, T125‑W, T125, T145‑W, T145, T15, T185, T20, T25, T35, T40, T45, T55, T70, T80, T85, Fireboxcloud, and Fireboxv devices.

The CVSS score of 6.9 indicates a moderate severity, but the EPSS score of less than 1% reflects a notably low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is the successful delivery and installation of a malicious firmware update, which requires either a compromised update source or an authenticated administrative channel. Once deployed, the attacker can achieve limited persistence and potentially gain further foothold on the network, making patching a priority.