CVE-2022-26318

CRITICAL KEV

WatchGuard XTM Firebox Unauthenticated Remote Command Execution

Title source: metasploit

Exploitation Summary

CVE-2022-26318 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 25, 2022. EIP tracks 5 public exploits from researchers including misterxid, h3llk4t3, BabyTeam1024, including a Metasploit module exploits/linux/http/watchguard_firebox_unauth_rce_cve_2022_26318.

AI-analyzed exploit summary This is a Python-based exploit for CVE-2022-26318, targeting WatchGuard XTM or FireWare OS. It leverages a buffer overflow in the agent.login method to achieve remote code execution (RCE) via a reverse shell.

Description

On WatchGuard Firebox and XTM appliances, an unauthenticated user can execute arbitrary code, aka FBX-22786. This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x before 12.5.9_U2.

Exploits (5)

nomisec WORKING POC 10 stars

by misterxid · remote

https://github.com/misterxid/watchguard_cve-2022-26318

View Code ZIP pw:eip

This is a Python-based exploit for CVE-2022-26318, targeting WatchGuard XTM or FireWare OS. It leverages a buffer overflow in the agent.login method to achieve remote code execution (RCE) via a reverse shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: WatchGuard XTM or FireWare OS

No auth needed

Prerequisites: Network access to the target device on port 4117 · Python 3 environment

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 3 stars

by h3llk4t3 · remote

https://github.com/h3llk4t3/Watchguard-RCE-POC-CVE-2022-26318

View Code ZIP pw:eip

This is a functional exploit for CVE-2022-26318, a buffer overflow vulnerability in WatchGuard XTM and FireWare OS. The PoC sends a maliciously crafted gzipped payload to trigger remote code execution via a reverse shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: WatchGuard XTM, FireWare OS

No auth needed

Prerequisites: Network access to the target's management interface (port 4117) · A listener set up on the attacker's machine

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 2 stars

by BabyTeam1024 · poc

https://github.com/BabyTeam1024/CVE-2022-26318

View Code ZIP pw:eip

This exploit targets CVE-2022-26318, a buffer overflow vulnerability in WatchGuard XTM/FireWare OS. It constructs a gzipped HTTP POST request with a malicious payload to achieve remote code execution via a reverse shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: WatchGuard XTM/FireWare OS

No auth needed

Prerequisites: Network access to the target device on port 4117 · A listener set up on the attacker's machine to receive the reverse shell

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by egilas · remote

https://github.com/egilas/Watchguard-RCE-POC-CVE-2022-26318

View Code ZIP pw:eip

This PoC exploits CVE-2022-26318, a buffer overflow vulnerability in WatchGuard XTM/FireWare OS, to achieve remote code execution via a crafted HTTP POST request with gzipped payload. The exploit sends a reverse shell to a specified listener.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: WatchGuard XTM/FireWare OS

No auth needed

Prerequisites: Network access to target on port 4117 · Listener set up on attacker-controlled host

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC GOOD

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/watchguard_firebox_unauth_rce_cve_2022_26318.rb

View Code ZIP pw:eip

This Metasploit module exploits a buffer overflow in WatchGuard Firebox and XTM appliances via the `/agent/login` endpoint, leading to unauthenticated remote code execution as the `nobody` user. It uses a crafted XML-RPC payload with ROP chains and shellcode to spawn a reverse Python shell.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: WatchGuard Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x before 12.5.9_U2

No auth needed

Prerequisites: Network access to the administration interface (port 8080 or 4117) · Python installed on the target system

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Release Notes, Vendor Advisory x_refsource_confirm

https://www.watchguard.com/support/release-notes/fireware/12/en-US/EN_ReleaseNotes_Fireware_12_7_2/index.html#Fireware/en-US/resolved_issues.html

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26318

Scores

CVSS v3 9.8

EPSS 0.9255

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2022-03-25

VulnCheck KEV 2022-03-17

InTheWild.io 2022-03-25

ENISA EUVD EUVD-2022-30879

Status published

Products (4)

watchguard/fireware 12.1.3 (8 CPE variants)

watchguard/fireware 12.5.9 u1

watchguard/fireware 12.7.2 u1

watchguard/fireware 12.0.0 - 12.1.3

Published Mar 04, 2022

KEV Added Mar 25, 2022

Tracked Since Feb 18, 2026