Race Condition Vulnerability in WatchGuard Fireware OS Affecting LDAP Authentication
CVE-2026-13368

9.2CRITICAL

Key Information:

Vendor

Watchguard

Vendor
CVE Published:
2 July 2026

What is CVE-2026-13368?

WatchGuard Fireware OS is susceptible to a use-after-free vulnerability stemming from a race condition in LDAP authentication specifically for the Mobile User VPN utilizing IKEv2. This flaw enables remote unauthenticated attackers to potentially execute arbitrary code within the context of the iked process on affected Fireboxes that are configured to use an external LDAP authentication server for mobile VPN connections.

Affected Version(s)

Fireware OS 11.10.2 <= 11.12.4+541730

Fireware OS 2025.1 <= 2026.2

Fireware OS 12.0

References

CVSS V4

Score:
9.2
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Cody Sixteen
.