Mobile VPN Client with SSLVPN v 12.11.3 SAML broken following Edge Update on Windows Systems
Yesterday Microsoft released Edge version 139.0.3405.86 which after Windows systems update to this version, the SSLVPN client using SAML authentication to Microsoft Entra is failing, locking out remote users. Reportedly downgrading Edge resolves the issue but with automatic and managed updates, this is a temporary and short term fix. Uninstalling the client and installing 12.11.2 client appears to work, but only because we have not yet upgraded the firebox to 12.11.3 from 12.11.1 Update 1 as we still have nearly 100 systems to update so that we can update the firewall. Reverting to legacy Active Directory authentication is also failing now, leaving client downgrades, a slow and tedious process with remote users, as our only option.
0
Sign In to comment.
Comments
Hi @Alan_Mercer
Please see the KB here for a workaround:
Mobile VPN with SSL Client v12.11.3 SAML connections fail after WebView2 v139 update
The SSLVPN client just has an update regarding a security vulnerability. You can use the 11.12.3 client on 11.12.2 with no issue if you're looking to upgrade the firewall later.
Enhancements and Resolved Issues in Fireware v12.11.3
This release resolves a local privilege escalation vulnerability in the Mobile VPN with SSL Client (CVE-2025-1910). View the full advisory details on psirt.watchguard.com. [WGSA-2025-00008]
-James Carson
WatchGuard Customer Support
The Workaround was working fine until Microsoft decided to remove all WebView Versions older than v139. Can you tell when a new Mobile VPN Client Version will be released? In our Case we just created local Users to make SSL VPN working for our Staff. Thank you and best Regards
Hi @B_Christ
Reverting to local users will bypass the issue with WebView. The KB article has also been updated to include a workaround using LDAPS for Entra users.
https://techsearch.watchguard.com/KB?type=Known Issues&SFDCID=kA1Vr000000CffJKAS&lang=en_US
If you'd like to be notified when this is resolved, please create a support case and mention FBX-30242. You can be notified via the support case.
-James Carson
WatchGuard Customer Support
If you’re having issues with the WatchGuard SSL VPN client due to WebView2 runtime compatibility with SAML, you can force the client to use a specific WebView2 version. This is useful when downgrading the client or using a local user account is not an option.
Steps:
=> https://developer.microsoft.com/en-us/microsoft-edge/webview2/?form=MA13LH#download
What this does:
Hope this helps someone facing the same issue.
Cheers
We have had this same issue - but we also had updated our Firebox to 12.11.3
we have rolled back the VPN Client to 12.11.2 and it still connects to the FB ok.
hopefully a fix from watchguard comes soon!
We're faced with the same issue and the temp fix posted by @Maik_G worked perfectly.
WG has new workaround for this problem
https://portal.watchguard.com/wgknowledgebase?type=Known Issues&SFDCID=kA1Vr000000CffJKAS&lang=en_US
is there any news on a more permanent fix or work-around as this is causing a lot of problems in our network
@AndyWortley A permanent fix is being worked on. Any new information will be updated via the KB.
-James Carson
WatchGuard Customer Support