CVE-2025-13940
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-04

Last updated on: 2025-12-10

Assigner: WatchGuard Technologies, Inc.

Description
An Expected Behavior Violation [CWE-440] vulnerability in WatchGuard Fireware OS may allow an attacker to bypass the Fireware OS boot time system integrity check and prevent the Firebox from shutting down in the event of a system integrity check failure. The on-demand system integrity check in the Fireware Web UI will correctly show a failed system integrity check message in the event of a failure.This issue affects Fireware OS: from 12.8.1 through 12.11.4, from 2025.1 through 2025.1.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-04
Last Modified
2025-12-10
Generated
2026-06-16
AI Q&A
2025-12-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-13940
Affected Vendors & Products
Showing 33 associated CPEs
Vendor Product Version / Range
watchguard fireware From 2025.1 (inc) to 2025.1.3 (exc)
watchguard firebox_t115-w *
watchguard firebox_t125 *
watchguard firebox_t125-w *
watchguard firebox_t145 *
watchguard firebox_t145-w *
watchguard firebox_t185 *
watchguard fireware From 12.8.1 (inc) to 12.11.5 (exc)
watchguard firebox_m270 *
watchguard firebox_m290 *
watchguard firebox_m370 *
watchguard firebox_m390 *
watchguard firebox_m440 *
watchguard firebox_m4600 *
watchguard firebox_m470 *
watchguard firebox_m4800 *
watchguard firebox_m5600 *
watchguard firebox_m570 *
watchguard firebox_m5800 *
watchguard firebox_m590 *
watchguard firebox_m670 *
watchguard firebox_m690 *
watchguard firebox_nv5 *
watchguard firebox_t20 *
watchguard firebox_t25 *
watchguard firebox_t40 *
watchguard firebox_t45 *
watchguard firebox_t55 *
watchguard firebox_t70 *
watchguard firebox_t80 *
watchguard firebox_t85 *
watchguard fireboxcloud *
watchguard fireboxv *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-440 A feature, API, or function does not perform according to its specification.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an Expected Behavior Violation (CWE-440) in WatchGuard Fireware OS that allows an attacker to bypass the boot time system integrity check. This means the attacker can prevent the Firebox device from shutting down even if the system integrity check fails during boot. However, the on-demand system integrity check via the Fireware Web UI will still correctly display a failure message if the integrity check fails.

Impact Analysis

This vulnerability could allow an attacker to keep the Firebox device running despite a failed system integrity check, potentially allowing compromised or altered system states to persist. This could lead to security risks such as unauthorized access or system instability because the device does not shut down as expected when integrity checks fail.

Detection Guidance

This vulnerability can be detected by performing the on-demand system integrity check in the Fireware Web UI, which will correctly show a failed system integrity check message if the system integrity check fails.

Mitigation Strategies

There is no workaround available for this vulnerability. The immediate step to mitigate this vulnerability is to upgrade affected Fireware OS versions to 12.11.5 or 2025.1.3, where the issue has been resolved. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13940. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart