WEB WatchGuard Firebox Authentication Vulnerability (CVE-2022-23176)
CVE-2022-23176 is a privilege escalation vulnerability in WatchGuard Firebox and XTM appliances. The vulnerability could allow a remote, unprivileged threat actor to access the system with a privileged management session via an exposed management access.
Apparently, the flaw has been used by Sandworm, a Russian-sponsored hacking collective, which is most likely part of the GRY Russian military intelligence agency. The CVE-2022-23176 vulnerability has been used to build the Cyclops Blink botnet, using compromised WatchGuard Small Office/Home Office (SOHO) network devices.
The Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its list of exploited flaws, urging organizations to patch their systems.
WatchGuard is aware of the critical issue, and has been working closely with the FBI, CISA, DOJ, and UK NCSC1. As a result of this cooperation, the company developed a remediation for Cyclops Blink that affected “a limited number of WatchGuard firewall appliances”. If you are affected, refer to the company’s advisory for further technical instructions.