Ongoing RCE Exploitation Targets Over 115,000 WatchGuard Firewalls

Incident Overview

Security researchers have identified active exploitation of critical remote code execution (RCE) vulnerabilities affecting a large population of WatchGuard Firewalls. These vulnerabilities, present in the products’ management interfaces, are being actively leveraged by threat actors to gain unauthorized access, execute arbitrary code, and potentially establish persistent footholds within targeted networks.

Initial telemetry indicates that over 115,000 devices are exposed to attack, with successful compromises observed in both enterprise and managed services environments. The exploitation trend underscores the risks associated with internet-facing network infrastructure that lacks timely patching or effective access controls.

This incident is ongoing, with both detection and mitigation activities in progress across impacted organizations.

Impact Analysis

The exploitation of these RCE vulnerabilities can have wide-ranging operational and security impacts, including:

• Unauthorized administrative access to firewall appliances
• Interruption of network security controls leading to degraded protection
• Deployment of additional malware or backdoors
• Lateral movement into internal network segments
• Disruption of connectivity for business services

Because firewalls represent the foundational perimeter security layer for most enterprises, any compromise directly undermines network trust and increases exposure to downstream threats.

Technical Details

The vulnerabilities exploited involve flaws in the WatchGuard appliance’s web-based management interface and/or underlying services. These weaknesses allow unauthenticated attackers reachable over the internet to:

• Trigger improper input validation
• Bypass authentication checks
• Execute arbitrary code in the context of the system process

Active exploitation has been observed using automated tools scanning for vulnerable hosts and issuing specially crafted requests that trigger unstable states.

Indicators of Compromise (IoCs) include:

• Unexpected processes or services spawned on WatchGuard units
• Anomalous SSH or web management sessions
• Connections initiated from unusual source IPs into internal protected segments
• Firewall rule alterations without administrative authorization

Network defenders are advised to examine relevant logs for these behaviors and escalate remediation where confirmed.

What Users Should Do

Immediate actions for security teams and network operators:

• Identify and enumerate all WatchGuard firewalls within your environment.
• Assess exposure by determining which appliances are internet-reachable.
• Block access to management interfaces from untrusted networks.
• Apply recommended patches or configuration changes from WatchGuard.
• Isolate compromised units and validate integrity before reuse.

Operational recommendations:

• Use network scanners (Nmap, Nessus, etc.) to detect vulnerable builds.
• Restrict management interfaces to internal or VPN-only access.
• Review firewall logs for signs of unauthorized configuration changes.

Vendor Response

WatchGuard has acknowledged the vulnerability and released guidance detailing:

• the affected firmware versions
• mitigations and patches
• configuration safeguards

Administrators are urged to consult the official vendor advisories for exact remediation steps and to subscribe to WatchGuard’s security notifications for updates.

Resolution and Lessons

At the time of writing, mitigation activities are ongoing. Patching and access lock-down remain the primary defenses against exploitation. Organizations that proactively implement recommendations will likely reduce their exposure significantly.

Key lessons include:

• The necessity of defense-in-depth, especially for internet-facing appliances
• The importance of segregating management interfaces from public infrastructure
• The critical need for rapid patch deployment and vulnerability scanning

Organizations should consider implementing automated monitoring of patch availability and exposure scanning as part of routine security hygiene.