Deserialization in Watchguard Fireware Os

CVE-2026-4266

An Insecure Deserialization vulnerability in WatchGuard Fireware OS allows an attacker that has obtained write access to the local filesystem through another vulnerability to execute arbitrary code in the context of the portald user.This i…

Vulnerability class: Insecure Deserialization

EPSS: 0.000 (5.6th percentile) — read the EPSS interpretation.

Affected products

Watchguard Fireware Os — versions 12.1, 2025.1

Weakness classification (CWE)

CWE-502 — Deserialization of Untrusted Data

References

www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00007 (vendor-advisory)