Critical IKEv2 RCE Vulnerability in WatchGuard Firebox Devices Exploited

Critical IKEv2 RCE Vulnerability in WatchGuard Firebox Devices Exploited

First seen 4 Jul 2026, 16:20 UTC Techtimeswww.watchguard.comcwe.mitre.orgwww.securityweek.com 87% similarity 72.0

Article Content

Browse articles
ThreatCluster

WatchGuard Technologies released patches on July 2, 2026, for a critical remote code execution vulnerability (CVE-2026-13368) affecting all supported Firebox firewall models. This flaw, linked to a race condition in the LDAP authentication path of the IKEv2 protocol, allows unauthenticated attackers to execute arbitrary code. It is the third critical vulnerability in the same VPN daemon discovered in ten months, with previous flaws leading to active exploitation. Over 100,000 devices are at risk, particularly those configured to use external LDAP for Mobile User VPN authentication. Patches are available for most models, but legacy T15 and T35 models remain unpatched. Administrators are urged to apply updates immediately due to the high risk of exploitation.

Key Points: • CVE-2026-13368 allows unauthenticated remote code execution on Firebox devices. • Over 100,000 devices are exposed, with patches available for most models except legacy ones. • This is the third critical vulnerability in the same VPN daemon within ten months.

ThreatCluster AI

Timeline

2025-09-17
CVE-2025-9242 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2025-12-19
CVE-2025-14733 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-07-02
Patches released for CVE-2026-13368
WatchGuard issued urgent patches for a critical RCE vulnerability affecting Firebox firewalls.
Techtimes
2026-07-04
CVE-2026-13368 disclosed
The vulnerability, linked to a race condition in LDAP authentication, poses a significant risk to Firebox devices.
WatchGuard
Recent
Previous vulnerabilities exploited
Two prior critical vulnerabilities in the same VPN daemon were exploited shortly after disclosure, affecting over 100,000 devices.
Techtimes

Community

Browse all →