CVE-2025-1545 is an XPath Injection vulnerability classified under CWE-91 affecting WatchGuard Fireware OS versions 11.11 through 2025.1.2. This vulnerability arises from improper sanitization of user-supplied input in the XML-based authentication or management web interface, specifically when authentication hotspots are configured. An attacker can remotely send crafted requests that manipulate XPath queries, enabling them to bypass intended access controls and retrieve sensitive information from the Firebox configuration files. The vulnerability requires no authentication or user interaction, making it remotely exploitable over the network with low attack complexity. The CVSS 4.0 vector indicates no privileges required (PR:N), no user interaction (UI:N), and high impact on confidentiality (VC:H) but no impact on integrity or availability. Although no public exploits have been reported yet, the potential for sensitive data disclosure, such as credentials or network configurations, poses a significant risk. The affected Fireware OS versions span multiple major releases, indicating a long-standing issue. The vulnerability is particularly critical for environments where Firebox devices are exposed to untrusted networks or where authentication hotspots are enabled, as these increase the attack surface. WatchGuard has not yet published patches at the time of this report, so organizations must monitor for updates and apply them promptly once available.

For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive network configuration data, including authentication credentials and firewall rules, undermining the confidentiality and security posture of critical network infrastructure. Attackers exploiting this flaw could gain insights to facilitate further attacks such as lateral movement, privilege escalation, or persistent access. Sectors such as finance, healthcare, government, and critical infrastructure that rely on WatchGuard Firebox devices for perimeter security are particularly at risk. The exposure of authentication hotspots increases the attack surface, potentially affecting organizations with guest or BYOD networks. The breach of confidentiality could result in regulatory non-compliance under GDPR due to inadequate protection of sensitive data. Additionally, the lack of required authentication and user interaction means attackers can exploit this vulnerability remotely and stealthily, increasing the likelihood of successful attacks. Although no active exploits are known, the high CVSS score and ease of exploitation warrant urgent attention to prevent potential compromise.

Organizations should immediately inventory their WatchGuard Firebox devices to identify affected Fireware OS versions and confirm whether authentication hotspots are configured. Until patches are released, restrict access to the management and authentication web interfaces by implementing strict network segmentation and firewall rules limiting access to trusted administrative networks only. Employ VPN or other secure remote access methods to reduce exposure. Monitor network traffic and logs for unusual or suspicious XPath query patterns or unauthorized access attempts targeting the web interfaces. Once WatchGuard releases patches addressing CVE-2025-1545, apply them promptly following tested change management procedures. Consider disabling authentication hotspots if not essential to reduce attack surface. Additionally, implement multi-factor authentication for administrative access to further mitigate risks. Regularly update and audit device configurations to ensure compliance with security best practices. Engage with WatchGuard support and subscribe to security advisories to stay informed about updates and exploit developments.