WatchGuard VPN Vulnerabilities Advisory | February 2022

Sophisticated malware group is targeting WatchGuard firewall appliances. Here's what you need to know.


Recently, the FBI and the UK National Cyber Security Centre (NCSC) informed network security vendor, WatchGuard, of a sophisticated state-sponsored malware impacting WatchGuard firewall appliances. Only WatchGuard firewall appliances configured to allow unrestricted management access open to the Internet are vulnerable.

If a WatchGuard firewall was infected with the malware, it would allow a threat actor to upload files and download and execute files. While the malware only impacts WatchGuard firewall appliances, the compromise of the firewall could facilitate additional attacks against your organization.

Quick facts: what you need to know now

  • Only 1% of WatchGuard appliances are believed to be vulnerable – WatchGuard firewall appliances with the default access management configurations and other WatchGuard products are not impacted.
  • At this time there is no evidence of data exfiltration from WatchGuard or its customers. 

Next Steps for all WatchGuard Customers:

  1. Follow the WatchGuard 4-Step Cyclops Blink Diagnosis and Remediation Plan. This plan will allow you to determine if your organization’s firewall is vulnerable, and if so, help you remediate.
  2. Ensure all WatchGuard appliances are updated to the latest firmware version that includes additional security mechanisms.
  3. Check this article periodically over the next few weeks as we will keep it updated as more information becomes available.


If you have any questions, please reach out to the Risk + Response Team at!