Cyber Centre Daily Advisory Digest — 2026-04-02 (2 advisories)

Key Takeaways

• Apple released critical updates across its ecosystem (iOS, macOS, watchOS, etc.) to address vulnerabilities, notably expanding iOS 18.7.7 availability to protect against the DarkSword exploit kit.
• WatchGuard released security updates for Fireware OS to patch an Arbitrary File Write via Path Traversal vulnerability in the Fireware Web UI.
• Administrators are urged to apply these updates immediately due to the active threat of web-based exploit kits.

Affected Systems

• Apple iOS versions prior to 18.7.7 and 26.4
• Apple iPadOS versions prior to 18.7.7 and 26.4
• Apple macOS Sequoia versions prior to 15.7.5
• Apple macOS Sonoma versions prior to 14.8.5
• Apple macOS Tahoe versions prior to 26.4
• Apple tvOS versions prior to 26.4
• Apple visionOS versions prior to 26.4
• Apple watchOS versions prior to 26.4
• WatchGuard Fireware OS 2025-1 versions 2025-1 to 2026.1.2
• WatchGuard Fireware OS 12.x versions 12.6.1 to 12.11.8

Vulnerabilities (CVEs)

• Arbitrary File Write via Path Traversal in WatchGuard Fireware Web UI

Attack Chain

Threat actors utilize the DarkSword exploit kit to conduct web-based attacks targeting vulnerable Apple devices, likely achieving client execution upon visiting malicious sites. Separately, attackers can exploit a path traversal vulnerability in the WatchGuard Fireware Web UI to perform arbitrary file writes, potentially leading to appliance compromise and unauthorized access.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

No specific detection rules are provided in the advisory.

Detection Engineering Assessment

EDR Visibility: Low — EDR agents are typically not deployable on WatchGuard firewall appliances or standard Apple mobile devices (iOS/iPadOS). Network Visibility: Medium — Network intrusion detection systems may identify path traversal attempts against the WatchGuard Web UI or known exploit kit traffic patterns. Detection Difficulty: Hard — Detecting exploitation on closed-ecosystem mobile devices and proprietary network appliances relies heavily on vendor-provided telemetry and network-level heuristics.

Required Log Sources

• Web Application Firewall (WAF) Logs
• Firewall Traffic Logs
• Mobile Device Management (MDM) Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Threat actors may attempt to exploit the WatchGuard vulnerability by sending HTTP requests containing path traversal sequences (e.g., '../') directed at the Fireware Web UI.	WAF or Web Server Access Logs	Initial Access	Low

Control Gaps

• Lack of endpoint visibility on network appliances
• Limited telemetry from mobile operating systems

Key Behavioral Indicators

• Anomalous file write operations on WatchGuard appliances
• Path traversal strings in HTTP requests to WatchGuard management interfaces

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Apply Apple security updates (including iOS 18.7.7 and 26.4) to all corporate mobile and desktop devices immediately.
• Update WatchGuard Fireware OS to the latest patched versions to remediate the path traversal vulnerability.

Infrastructure Hardening

• Restrict access to the WatchGuard Fireware Web UI, ensuring it is not exposed to the public internet and is only accessible from trusted internal management networks or via VPN.

User Protection

• Ensure all corporate Apple devices are enrolled in a Mobile Device Management (MDM) solution to enforce rapid patch compliance.

Security Awareness

• Educate users on the risks of drive-by downloads and the importance of keeping mobile devices updated.

MITRE ATT&CK Mapping

• T1189 - Drive-by Compromise
• T1203 - Exploitation for Client Execution
• T1190 - Exploit Public-Facing Application