CVE-2025-6946 is a stored Cross-site Scripting (XSS) vulnerability identified in WatchGuard Fireware OS, affecting versions from 12.0 through 12.11.2. The vulnerability arises due to improper neutralization of input during web page generation within the Intrusion Prevention System (IPS) module's web interface. An authenticated administrator accessing a locally managed Firebox device can be targeted by an attacker who injects malicious scripts that persist in the system. When the administrator views the affected web pages, the malicious script executes in their browser context, potentially allowing session hijacking, credential theft, or unauthorized administrative actions. The vulnerability requires high privileges (authenticated admin) but no user interaction beyond normal admin interface usage. The CVSS 4.8 score reflects medium severity, considering the network attack vector, low complexity, no privileges required beyond admin, and partial scope impact. There are no known exploits in the wild at the time of publication, but the risk remains significant due to the sensitive nature of administrative access. The vulnerability is classified under CWE-79, highlighting improper input sanitization leading to XSS. The lack of available patches at the time of reporting necessitates immediate mitigation efforts by affected organizations.

For European organizations, this vulnerability poses a risk primarily to the confidentiality and integrity of administrative sessions on WatchGuard Firebox devices. Successful exploitation could allow attackers to execute arbitrary scripts within the admin interface, potentially leading to session hijacking, unauthorized configuration changes, or further network compromise. Given that Firebox devices often protect critical network perimeters and are used in enterprise and government environments, exploitation could disrupt security monitoring and enforcement. The requirement for authenticated admin access limits the attack surface but does not eliminate risk, especially in environments with weak admin credential management or where insider threats exist. The vulnerability could also facilitate lateral movement within networks if attackers gain admin access. The absence of known exploits reduces immediate risk but does not preclude future attacks. Organizations relying on Firebox for intrusion prevention and firewall capabilities should consider this vulnerability a moderate threat to operational security.

1. Restrict administrative access to Firebox devices to trusted personnel and secure management networks, ideally using network segmentation and VPNs. 2. Enforce strong, unique administrator credentials and implement multi-factor authentication (MFA) where supported to reduce risk of credential compromise. 3. Monitor administrative sessions and logs for unusual activity that could indicate exploitation attempts. 4. Limit the use of local management interfaces; prefer centralized management solutions with enhanced security controls. 5. Apply any available vendor updates or patches as soon as they are released. 6. Conduct regular security assessments and penetration tests focusing on administrative interfaces. 7. Educate administrators about the risks of XSS and safe browsing practices within management consoles. 8. Consider deploying web application firewalls (WAFs) or IPS rules that can detect and block malicious script injections targeting the management interface. 9. If patching is not immediately possible, consider temporarily disabling or restricting the IPS module functionality that triggers the vulnerability, if feasible without impacting critical operations.