Home · Live brief · Daily brief 2026-07-03
CVE-2026-13368 — WatchGuard Fireware OS: pre-auth use-after-free RCE in the iked IKEv2/LDAP path (CVSS 9.2)
Part of run 2026-07-03T1809Z-intel (intel · Opus 4.8 (1M context))
WatchGuard disclosed CVE-2026-13368 (CVSS 4.0 base 9.2, CWE-416 use-after-free), one of ten Fireware OS advisories published in the same cycle (WGSA-2026-00014 through -00023) (WatchGuard PSIRT, 2026-07-02). The flaw is a race condition producing a use-after-free in iked, the IKEv2 key-exchange daemon, reachable during LDAP authentication for Mobile VPN with IKEv2; a remote unauthenticated attacker who wins the race can execute code in the iked process context. The prerequisite — Mobile VPN with IKEv2 pointed at an external LDAP authentication server — is a common enterprise remote-access setup, and the CVSS 4.0 vector (AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H) reflects the probabilistic race rather than a deterministic single-shot primitive. Affected builds span Fireware OS 11.0 through 2026.2; WatchGuard lists fixed builds 2026.2.1 and 12.12.1, marks the 12.5.x branch (T15/T35 models) "Unresolved" at publication, and gives 11.x End-of-Life status with no fix and no workaround. BSI CERT-Bund relayed the full ten-advisory batch as WID-SEC-2026-2193, rating it "hoch" (BSI CERT-Bund, 2026-07-03). No public PoC or in-the-wild exploitation is reported as of this writing. Mapped to T1190 Exploit Public-Facing Application for initial access and T1133 External Remote Services for the exposed IKEv2/Mobile-VPN surface. Defender takeaway: internet-exposed UTM/VPN gateways with pre-auth memory-corruption RCE (the Fortinet/Ivanti/Citrix pattern) reliably attract fast-follow exploitation once detail surfaces — treat this as patch-now for the affected configuration, and where no fix exists yet, remove the vulnerable auth path rather than wait. Detection realistically lives in appliance-side crash telemetry and the backing LDAP server's bind logs, since the exploit hits before any VPN session is established.
“A remote unauthenticated attacker could exploit this vulnerability to execute arbitrary code in the context of the iked process on Fireboxes that have a Mobile VPN with IKEv2 configured to use an external LDAP authentication server.” — WatchGuard PSIRT (WGSA-2026-00023)
Action items
- Patch internet-facing WatchGuard Fireboxes to Fireware OS 2026.2.1 (2025.1/2026.x) or 12.12.1 (12.x) now if Mobile VPN with IKEv2 uses an external LDAP authentication server.
- For the 12.5.x branch (T15/T35, no fix yet) and End-of-Life 11.x: disable external-LDAP-backed Mobile VPN with IKEv2 or move remote-access auth to a non-LDAP backend (e.g. RADIUS) until a build ships; plan 11.x replacement.
- Hunt Firebox syslog/Traffic Monitor for unexplained iked crashes or restarts correlating with inbound UDP/500 and UDP/4500, and review the LDAP server's bind logs for malformed/high-frequency binds from the Firebox client identity.