CVE-2026-13368: WatchGuard Firebox Race Condition and Use-After-Free in Mobile VPN with IKEv2 LDAP Authentication
WatchGuard Fireware OS contains a race condition leading to a use-after-free vulnerability in LDAP authentication for the Mobile User VPN with IKEv2. A remote unauthenticated attacker could exploit this vulnerability to execute arbitrary code in the context of the iked process on Fireboxes that have a Mobile VPN with IKEv2 configured to use an external LDAP authentication server. This vulnerability affects Fireware OS 11.0 up to and including 11.12.4_Update1, 12.0 up to and including 12.12 and 2025.1 up to and including 2026.2.
Metrics
- CVSS v4.0
- 9.2
- Severity
- CRITICAL
- Fixed in
- 12.0
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A race condition leading to a use-after-free vulnerability exists in WatchGuard Fireware OS within the LDAP authentication handler for Mobile VPN with IKEv2. The flaw is reachable over the network by an unauthenticated remote attacker, but exploitation requires winning a race condition and a specific prerequisite configuration (the Firebox must have Mobile VPN with IKEv2 configured to use an external LDAP server). Successful exploitation allows the attacker to execute arbitrary code in the context of the iked process on the targeted Firebox. Patched-image rebuilds at versions 12.0 and 12.5 are available on HarborGuard for environments running affected Fireware OS versions.
HarborGuard Coverage
Detection of CVE-2026-13368 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that package Fireware OS or derivative components. HarborGuard's scanner is capable of identifying affected version ranges (Fireware OS 11.0 through 11.12.4_Update1, 12.0 through 12.12, and 2025.1 through 2026.2) in any image layer where version metadata is present.
AvailableTriage is available with a CVSS v4.0 score of 9.2 (CRITICAL), which HarborGuard surfaces alongside per-environment compliance policy weighting so that teams with stricter network-edge policies can escalate priority automatically. Findings are routable to the appropriate team inbox within each customer organization based on image ownership and policy configuration.
AvailableA patched-image rebuild at Fireware OS versions 12.0 and 12.5 becomes available in HarborGuard the moment the upstream fix is confirmed against ingested image manifests. For customers who opt into auto-remediation, HarborGuard is capable of running a rebuild, executing a regression test pass, and opening a pull request against affected workloads without manual intervention.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the Firebox IKEv2 VPN endpoint over the network; the vulnerable code path is exposed on any Firebox with Mobile VPN with IKEv2 enabled and reachable from an external network.
- AuthenticationNot required
No credentials are needed; the vulnerability is exploitable by a remote unauthenticated attacker prior to any login step.
- Victim interactionNot required
No action by an administrator or user is required to trigger exploitation; the attacker interacts directly with the iked service.
- Attack complexityDetail
Exploitation is rated High complexity (AC:H with AT:P), meaning the attacker must win a race condition and the target Firebox must be specifically configured to use an external LDAP authentication server for IKEv2, introducing meaningful but not insurmountable environmental requirements.
Blast Radius
- A successful attacker achieves arbitrary code execution in the context of the iked process, which handles VPN key exchange and session management on the Firebox.
- The attacker can read sensitive data processed by the iked process, including negotiated session keys, user identity material passed through LDAP, and in-memory authentication state (VC:H).
- The attacker can modify or corrupt iked process state, enabling manipulation of active VPN sessions or injection of attacker-controlled routing or authentication decisions (VI:H).
- The iked process can be crashed or destabilized, disrupting Mobile VPN connectivity for all IKEv2 users on the affected Firebox (VA:H).
How HarborGuard Handles This
Available on HarborGuard: detection is matched against images within minutes of CVE publication, covering any image that includes affected Fireware OS versions in the 11.x, 12.x, or 2025.x/2026.x release lines. Where compliance policy permits auto-remediation, HarborGuard is capable of rebuilding affected images at the fixed versions (12.0 or 12.5), running a regression test suite, and opening a pull request against affected workloads automatically; for environments with auto-remediation enabled, median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes. Because exploitation requires a specific configuration (Mobile VPN with IKEv2 pointed at an external LDAP server), teams that cannot immediately patch should consider network-policy controls that restrict inbound IKEv2 traffic (UDP 500/4500) to known, trusted client IP ranges as a compensating control until the patched image is deployed.
Fix available
- WatchGuard / Fireware OS≤ 11.12.4+541730 · ≤ 2026.2Fixed in 12.0, 12.5
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N