Some days ago I analyzed the internals of the Watchguard SSL-VPN system. When you realize it uses OpenVPN you think it's quite secure. Except when you implement it completely wrong and screw it all up.

I finally freed some time today to work out a POC and indeed, my attack works like a charm. It can do even more than I expected :-)

Tomorrow I'll be at a Watchguard Seminar about new features in Fireware v10. I'll probably see my Watchguard contact and discuss this issue with him. He'll probably be able to give me more direct contacts where to send the advisory. Let's hope they will fix this asap as I consider this vulnerability as High Risk.
More info later when they fixed it...