WatchGuard disclosed two high-severity vulnerabilities in Fireware OS affecting Firebox appliances, including a path traversal flaw in the Web UI tracked as CVE-2026-3987 and an insecure deserialization issue in the Access Portal tracked as CVE-2026-4266. The Web UI bug can let a privileged, authenticated remote attacker perform an arbitrary file write and potentially execute code in the context of an elevated system process. The Access Portal flaw can lead to arbitrary code execution as the portald user through insecure deserialization.
The issues affect multiple Fireware OS release lines, with CVE-2026-3987 impacting versions 12.6.1 through 12.11.8 and 2025.1 through 2026.1.2, while CVE-2026-4266 affects versions 12.1 through 12.11.8 and 2025.1 through 2026.1.2. WatchGuard said the deserialization bug is not a standalone remote exploit and requires prior write access to the local filesystem, making it more relevant for post-compromise chaining. The vulnerabilities are mapped to CWE-22 and CWE-502, respectively, and WatchGuard published vendor guidance including advisory WGSA-2026-00009; Firebox models without Access Portal support, such as the T-15 and T-35, are not affected by the Access Portal issue.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
WatchGuard published advisory WGSA-2026-00025 for a Firebox Access Portal vulnerability involving a hardcoded fallback encryption key in the resource credential database. This is a separate disclosure from the previously tracked Access Portal insecure deserialization flaw and Fireware Web UI issues.
WatchGuard published advisory WGSA-2026-00028 for a Firebox Management Web UI vulnerability involving arbitrary file write via path traversal. This is a separate disclosure from the previously tracked Access Portal and Web UI flaws.
WatchGuard published advisory WGSA-2026-00009 for CVE-2026-3987, a path traversal vulnerability in the Fireware OS Web UI that may let a privileged authenticated remote attacker achieve arbitrary code execution in an elevated system process. The flaw affects Fireware OS versions 12.6.1 through 12.11.8 and 2025.1 through 2026.1.2.
WatchGuard disclosed CVE-2026-4266, an insecure deserialization flaw in Fireware OS Access Portal that can lead to arbitrary code execution as the portald user. The issue affects Fireware OS versions 12.1 through 12.11.8 and 2025.1 through 2026.1.2, and requires prior local filesystem write access via another vulnerability.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
5 references tracked. Mallory keeps watching after this page renders.
watchguard.com
Open sourcewatchguard.com
Open sourcecyber.gc.ca
Open sourcecvefeed.io
Open sourcecvefeed.io
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.