ctipilot.ch

WatchGuard Fireware OS iked pre-auth use-after-free RCE (IKEv2/LDAP path, CVSS 9.2)

cve · CVE-2026-13368

Coverage timeline
1
first 2026-07-03 → last 2026-07-03
Entries
1
1 distinct days
Sources cited
2
2 hosts
Sections touched
1
trending-vulnerabilities
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-07-03CVE-2026-13368 — WatchGuard Fireware OS: pre-auth use-after-free RCE in the iked IKEv2/LDAP path (CVSS 9.2)
    trending-vulnerabilitiesCVE-2026-13368 — WatchGuard Firebox: pre-auth RCE in the IKEv2 VPN daemon (CVSS 9.2)

Where this entity is cited

  • trending-vulnerabilities1

Source distribution

  • watchguard.com1 (50%)
  • wid.cert-bund.de1 (50%)

Entries about WatchGuard Fireware OS iked pre-auth use-after-free RCE (IKEv2/LDAP path, CVSS 9.2) (1)

2026-07-03 · view entry permalink →

CVE-2026-13368 — WatchGuard Fireware OS: pre-auth use-after-free RCE in the iked IKEv2/LDAP path (CVSS 9.2)

high vulnerability discovered 2026-07-03 18:25 UTC

WatchGuard disclosed CVE-2026-13368 (CVSS 4.0 base 9.2, CWE-416 use-after-free), one of ten Fireware OS advisories published in the same cycle (WGSA-2026-00014 through -00023) (WatchGuard PSIRT, 2026-07-02). The flaw is a race condition producing a use-after-free in iked, the IKEv2 key-exchange daemon, reachable during LDAP authentication for Mobile VPN with IKEv2; a remote unauthenticated attacker who wins the race can execute code in the iked process context. The prerequisite — Mobile VPN with IKEv2 pointed at an external LDAP authentication server — is a common enterprise remote-access setup, and the CVSS 4.0 vector (AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H) reflects the probabilistic race rather than a deterministic single-shot primitive. Affected builds span Fireware OS 11.0 through 2026.2; WatchGuard lists fixed builds 2026.2.1 and 12.12.1, marks the 12.5.x branch (T15/T35 models) "Unresolved" at publication, and gives 11.x End-of-Life status with no fix and no workaround. BSI CERT-Bund relayed the full ten-advisory batch as WID-SEC-2026-2193, rating it "hoch" (BSI CERT-Bund, 2026-07-03). No public PoC or in-the-wild exploitation is reported as of this writing. Mapped to T1190 Exploit Public-Facing Application for initial access and T1133 External Remote Services for the exposed IKEv2/Mobile-VPN surface. Defender takeaway: internet-exposed UTM/VPN gateways with pre-auth memory-corruption RCE (the Fortinet/Ivanti/Citrix pattern) reliably attract fast-follow exploitation once detail surfaces — treat this as patch-now for the affected configuration, and where no fix exists yet, remove the vulnerable auth path rather than wait. Detection realistically lives in appliance-side crash telemetry and the backing LDAP server's bind logs, since the exploit hits before any VPN session is established.

“A remote unauthenticated attacker could exploit this vulnerability to execute arbitrary code in the context of the iked process on Fireboxes that have a Mobile VPN with IKEv2 configured to use an external LDAP authentication server.” — WatchGuard PSIRT (WGSA-2026-00023)

vulnerabilities rce pre-auth patch-available global CVE-2026-13368