CVE-2025-4805 is a Stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting WatchGuard Fireware OS versions from 12.0 through 12.11.1. The vulnerability arises due to improper neutralization of input during web page generation, allowing malicious scripts to be stored and executed within the administrative web interface of the Fireware OS. Exploitation requires an authenticated administrator session on a locally managed Firebox device, meaning an attacker must already have high-level access to the device's management interface. Once exploited, the attacker could inject malicious scripts that execute in the context of the administrator's browser session, potentially leading to session hijacking, credential theft, or unauthorized actions within the management interface. The CVSS v4.0 base score is 4.8 (medium severity), reflecting the requirement for high privileges (authenticated admin), no user interaction beyond the admin using the interface, and limited scope and impact confined to the management interface. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability affects a critical security product used for network firewall and security management, which makes it a significant concern despite the medium CVSS score.

For European organizations, this vulnerability poses a risk primarily to network security infrastructure managed via WatchGuard Fireware OS. Successful exploitation could allow an attacker with admin credentials to execute arbitrary scripts in the management interface, potentially compromising firewall configurations, disabling security controls, or exfiltrating sensitive network data. This could lead to broader network compromise, data breaches, or disruption of critical services. Given the reliance on Fireware OS in various sectors including government, finance, and critical infrastructure across Europe, the impact could be substantial if attackers leverage this vulnerability as part of a multi-stage attack. However, the requirement for authenticated administrator access limits the risk from external attackers but raises concerns about insider threats or credential compromise scenarios. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially in targeted attacks against high-value European organizations.

Organizations should immediately audit and restrict administrative access to Fireware OS management interfaces to trusted personnel only, employing strong multi-factor authentication (MFA) to reduce the risk of credential compromise. Network segmentation should be enforced to limit access to the management interface to secure, internal networks only. Administrators should monitor logs for unusual activity indicative of attempted or successful exploitation. Until patches are available, applying strict input validation and sanitization on any custom scripts or configurations interacting with the Fireware OS interface may help reduce risk. Additionally, organizations should prepare to deploy patches promptly once released by WatchGuard. Regular security awareness training for administrators on phishing and credential security is also recommended to prevent initial access by attackers.