CVE-2025-1545 is an XPath Injection vulnerability categorized under CWE-91 that affects WatchGuard Fireware OS versions 11.11 up to 12.5.13 and 2025.1 up to 2025.1.2. The flaw exists in the way the Fireware OS processes XPath queries within its authentication or management web interface, specifically when at least one authentication hotspot is configured. An attacker can craft malicious input to manipulate XPath queries, enabling them to retrieve sensitive information from the Firebox configuration remotely without authentication or user interaction. The vulnerability leverages the lack of proper input validation and sanitization in the XML processing logic, allowing blind XPath injection attacks that disclose confidential configuration data. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high impact on confidentiality (VC:H) with no impact on integrity or availability. Although no public exploits have been reported, the vulnerability poses a significant risk due to the sensitive nature of the data exposed and the widespread use of Firebox devices in enterprise environments. The vulnerability affects multiple Fireware OS branches, including legacy and current versions, emphasizing the need for comprehensive patch management. The absence of patch links suggests that fixes may be pending or require coordination with WatchGuard support. The vulnerability's exploitation could lead to unauthorized disclosure of network security configurations, potentially facilitating further attacks or network compromise.

For European organizations, this vulnerability poses a critical risk to the confidentiality of network security configurations managed by WatchGuard Firebox devices. Disclosure of sensitive configuration data could enable attackers to map network defenses, identify security weaknesses, and launch subsequent attacks such as lateral movement, privilege escalation, or data exfiltration. Organizations in sectors with stringent data protection requirements, such as finance, healthcare, and critical infrastructure, face heightened risks of regulatory non-compliance and reputational damage if exploited. The remote, unauthenticated nature of the attack vector increases the threat surface, especially for organizations exposing management interfaces to less secure networks or the internet. Given the widespread deployment of WatchGuard Firebox in European enterprises and government agencies, successful exploitation could disrupt network security postures across multiple sectors. The vulnerability's impact is primarily on confidentiality, but indirect effects on integrity and availability could follow if attackers leverage disclosed information to compromise systems further. The lack of known exploits currently provides a window for proactive mitigation, but the high CVSS score underscores the urgency of addressing this issue.

1. Immediately inventory all Firebox devices to identify affected Fireware OS versions and confirm if authentication hotspots are configured. 2. Coordinate with WatchGuard support to obtain and apply official patches or firmware updates as soon as they become available. 3. Restrict access to Firebox management and authentication web interfaces by implementing network segmentation, VPN access, or IP whitelisting to limit exposure to trusted administrators only. 4. Monitor network traffic and logs for unusual or suspicious requests targeting the management interface that could indicate exploitation attempts. 5. Employ Web Application Firewalls (WAFs) or intrusion detection/prevention systems (IDS/IPS) with rules tuned to detect XPath injection patterns. 6. Conduct regular security assessments and penetration testing focusing on management interfaces to identify and remediate similar injection flaws. 7. Educate network administrators about the risks of exposing management interfaces and enforce strong authentication and access control policies. 8. Develop incident response plans that include procedures for containment and remediation in case of exploitation. 9. Consider temporary disabling of authentication hotspots if feasible until patches are applied to reduce attack surface. 10. Maintain up-to-date asset and vulnerability management databases to track remediation progress and compliance.