Deserialization in Watchguard Fireware Os
CVE-2026-13371
An authenticated administrator can trigger a denial-of-service condition in the Fireware Management Web UI by sending malformed or crafted data to the put_data endpoint, which performs unsafe deserialization of the attacker-supplied input.
Vulnerability class: Insecure Deserialization
Affected products
- Watchguard Fireware Os — versions 12.0, 12.5, 2025.1
Weakness classification (CWE)
References
- 5d1c2695-1a31-4499-88ae-e847036fd7e3 (vendor-advisory)