PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-13368 WatchGuard CVE debrief

CVE-2026-13368 is a critical use-after-free vulnerability in WatchGuard Fireware OS. The vulnerability is caused by a race condition in LDAP authentication for the Mobile User VPN with IKEv2. A remote unauthenticated attacker could exploit this vulnerability to execute arbitrary code in the context of the iked process on Fireboxes that have a Mobile VPN with IKEv2 configured to use an external LDAP authentication server. This vulnerability affects Fireware OS 11.0 up to and including 11.12.4_Update1, 12.0 up to and including 12.12, and 2025.1 up to and including 2026.2.

Vendor
WatchGuard
Product
Fireware OS
CVSS
CRITICAL 9.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-03
Original CVE updated
2026-07-07
Advisory published
2026-07-03
Advisory updated
2026-07-07

Who should care

Organizations using WatchGuard Fireware OS with Mobile User VPN and IKEv2 configured to use an external LDAP authentication server should prioritize patching this vulnerability to prevent potential code execution.

Technical summary

The vulnerability is caused by a race condition in LDAP authentication for Mobile User VPN with IKEv2 in WatchGuard Fireware OS. This condition leads to a use-after-free vulnerability that can be exploited by a remote unauthenticated attacker to execute arbitrary code in the context of the iked process. The affected versions of Fireware OS include 11.0 up to and including 11.12.4_Update1, 12.0 up to and including 12.12, and 2025.1 up to and including 2026.2.

Defensive priority

High

Recommended defensive actions

  • Apply the vendor-provided patch to update Fireware OS to a version that is not vulnerable.
  • Verify that Mobile VPN with IKEv2 is not configured to use an external LDAP authentication server.
  • Monitor for suspicious activity related to the iked process.
  • Implement compensating controls, such as restricting access to the affected systems.
  • Conduct regular vulnerability assessments and penetration testing to identify potential weaknesses.

Evidence notes

The CVE record was published on 2026-07-03T00:16:50.890Z and was last modified on 2026-07-07T05:16:48.803Z. The NVD entry is currently Awaiting Analysis. The vulnerability has a CVSS score of 9.2 and is classified as CRITICAL.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-03T00:16:50.890Z and has not been modified since then. The NVD entry is currently Awaiting Analysis.