Firewalls are supposed to be the thing that watches everyone else. CVE-2026-8247 turns that around. A stack memory bug in WatchGuard's Firebox line lets an unauthenticated attacker who sits on the same network run code as root on the firewall itself. No password, no admin session, nobody clicking anything. Whoever reaches the box owns every policy it enforces.
WatchGuard published the fix on July 2. Trend's Zero Day Initiative, which reported the flaw, released its own advisory on July 15. There is no public exploit and no sign of in-the-wild use yet, but a memory-corruption bug in a perimeter device is exactly the kind of thing that gets weaponized quietly.
What actually broke
The flaw lives in admd, the Firebox process that handles authentication. It mishandles login notifications sent by WatchGuard's Single Sign-On, the feature that maps logged-in users to their IP addresses so a firewall rule can follow the person instead of the machine. One piece of that system is the Terminal Services agent, which reports logins from shared Windows hosts.
When admd reads one of those login notifications, it copies attacker-controllable data into a fixed-size buffer on the stack without checking the length first. Overrun the buffer and you can steer execution. ZDI and WatchGuard describe the result the same way: code running with root privileges on the appliance.
"Adjacent" is doing a lot of work in that severity score
WatchGuard scores this 7.7 and ZDI 7.5, both High rather than Critical, and the reason is the attack vector: adjacent network, not the open internet. That makes it tempting to file under "we will get to it." For a firewall, the instinct is wrong.
The Single Sign-On listener is reachable from wherever your SSO agents live, which is inside your trusted zones by design. That includes VPN-connected clients, internal servers, a compromised workstation on the LAN, or a guest segment that was never as isolated as the diagram claimed. Any of those counts as "adjacent." An attacker who already holds one internal host, the normal starting point for a ransomware crew, can pivot straight into root on the device that segments the network. The middling score reflects where the attacker begins, not how bad it is once they arrive.
Am I affected
Almost every supported branch is in scope. On the legacy 11.x line, everything up to and including 11.12.4 Update 1 carries the bug. The 12.0 series is affected all the way to 12.12. The older 12.5 maintenance branch is exposed through build 12.5.18. On the current train, every release from 2025.1 forward to 2026.2 is vulnerable.
Boxes running Single Sign-On with the Terminal Services agent are the clear targets. If SSO is switched off entirely the reachable surface shrinks, but do not read that as a fix.
Patching is not automatic here: check your model and branch first
WatchGuard shipped fixes, but not for every product, so "update to the latest" is not the whole answer. If you run the 12.x line, the patched build is Fireware 12.12.1. On the 2025.1 or 2026 train, move to 2026.2.1. Two groups are left out. The T15 and T35 hardware still sitting on the 12.5.x branch has no fix, marked unresolved by the vendor. The entire 11.x generation has reached end of life, so no patch is coming for it at all.
There is no workaround. If your appliance sits on an unresolved or end-of-life path, patching is not a lever you have, so the only one left is exposure. Restrict which hosts can reach the firewall's SSO agent listener, tighten segmentation so a compromised internal host cannot talk to it, and if you run a T15, T35, or any 11.x box, pull the replacement forward on your roadmap rather than waiting for a fix that, for 11.x, is never coming.
How you would know
Memory-corruption exploits against an appliance are hard to catch on the device itself, because the thing that would alert you is the thing being compromised. Watch the signals around it. Look for unexpected admd crashes or restarts, configuration changes nobody made, new administrative sessions, or outbound connections from the firewall to addresses you do not recognize. Ship appliance logs somewhere off the box so an attacker who lands on it cannot rewrite the evidence. Whether you run that monitoring yourself or through a managed detection service, the firewall's own logs and behavior are the tell, not any scan running on the appliance.
The perimeter is the target now
This is the same story with a different nameplate. SonicWall, Kemp LoadMaster, Citrix NetScaler, Fortinet: the boxes sold to defend the edge keep turning into the softest way through it, and the authentication and agent subsystems are where the memory bugs surface. Treat your firewall like the internet-facing application it is. Patch it on the same clock, watch it as closely, and assume "only reachable from inside" is a temporary condition, not a control.