Unauthenticated RCE in WatchGuard Firebox/XTM wgagent XML-RPC endpoint

This repository contains a Python proof-of-concept exploit (POCwg.py) for CVE-2022-26318, a remote code execution vulnerability affecting WatchGuard XTM and FireWare OS devices. The exploit works by sending a specially crafted, gzipped HTTP POST request to the /agent/login endpoint on the target device (default port 4117, R_HOST). The payload is designed to trigger a buffer overflow and execute a Python-based reverse shell, connecting back to the attacker's machine (L_HOST) on port 8888. The attacker must have a netcat listener running to receive the shell. The repository consists of the exploit script and a brief README. The exploit is operational, providing a working reverse shell if the target is vulnerable and reachable.

This repository contains a single file, README.md, which includes a full Python proof-of-concept exploit for CVE-2022-26318, a remote code execution vulnerability in WatchGuard XTM and FireWare OS devices. The exploit crafts a malicious XML-RPC payload, compresses it with gzip, and sends it over an SSL-wrapped TCP connection to the target device's agent login service on port 4117. If successful, the payload causes the target device to open a reverse shell connection back to the attacker's machine (L_HOST) on port 8888, granting the attacker remote command execution. The exploit is operational, with a hardcoded Python reverse shell payload, and requires the attacker to set up a netcat listener to receive the shell. The code is self-contained and does not rely on any external frameworks. The repository is focused and provides a clear demonstration of the vulnerability's impact.