CVE-2022-23176

What are WatchGuard Firebox and XTM Appliances?

WatchGuard Firebox and XTM are enterprise network security appliances — firewalls and UTM (Unified Threat Management) devices deployed by small and medium enterprises, schools, healthcare organizations, and managed service providers. These devices sit at the network perimeter and are internet-facing by design, making them prime targets for nation-state actors seeking persistent network footholds. Compromising a perimeter firewall gives attackers visibility into all network traffic and a staging point for further intrusion.

Overview

CVE-2022-23176 is a privilege escalation vulnerability in WatchGuard Firebox and XTM appliances. A remote attacker with low-privilege credentials can access the device's management interface with full administrative (privileged) session privileges. This vulnerability was exploited by Sandworm (GRU Unit 74455), a Russian military intelligence cyberunit, as a delivery mechanism for the Cyclops Blink malware botnet. The FBI, CISA, NSA, and UK NCSC published a joint advisory on Cyclops Blink in February 2022.

Affected Versions

Technical Details

The vulnerability allows a low-privilege authenticated user (e.g., a read-only management account or restricted VPN user) to escalate to a privileged management session on the WatchGuard appliance via improper session privilege handling.

• Authentication required: Low — a non-administrator WatchGuard account with minimal access
• Attack complexity: Low — the escalation does not require complex exploitation
• Impact: Full administrative access to the firewall; ability to modify firewall rules, VPN configurations, and network routing; persistent access to all network traffic passing through the appliance
• Cyclops Blink: Sandworm exploited this vulnerability to install Cyclops Blink, a modular Linux malware that persists across firmware updates by writing itself into the device's flash storage. Cyclops Blink supports C2 communication over legitimate HTTPS, uploads device information, downloads new modules, and can be tasked for further network intrusion

Discovery

Identified as part of the joint investigation into Cyclops Blink by FBI, CISA, NSA, NCSC, and WatchGuard. WatchGuard and government agencies coordinated disclosure and remediation simultaneously.

Exploitation Context

Sandworm (GRU Unit 74455, also known as Voodoo Bear, Iridium, BlackEnergy) is one of the most destructive known cyberattack groups, previously attributed to the NotPetya and Olympic Destroyer attacks. The Cyclops Blink campaign infected tens of thousands of WatchGuard devices globally, building a persistent botnet embedded in enterprise network perimeters. The FBI later disrupted the Cyclops Blink botnet with a court-authorized operation in April 2022. Unlike the botnet's primary C2 targets, many infected devices remained compromised even after the FBI action.

Remediation

1. Upgrade to Fireware OS 12.7.2 U2 or 12.5.9 U3 (or later) — the definitive fix
2. Use WatchGuard's free Cyclops Blink Detector Tool to check whether your device was infected before patching
3. If infection is found: factory reset the appliance — patching alone does not remove Cyclops Blink, which persists in flash storage
4. After factory reset and patching, reconfigure the device from a known-clean baseline (do not restore from a potentially infected backup)
5. Restrict WatchGuard management interface access to trusted IP addresses only; disable remote management access from the internet
6. Review firewall rule changes and VPN configurations for unauthorized modifications