A critical vulnerability in WatchGuard Firebox firewalls could allow attackers to gain complete administrative access to the devices without any authentication.
The flaw, tracked as CVE-2025-59396, stems from insecure default configurations that expose SSH access on port 4118 using hardcoded credentials.
WatchGuard Firebox appliances through September 10, 2025, ship with default SSH credentials (admin:readwrite) that remain accessible on port 4118.
This means that any attacker with network access to the device can remotely connect and gain full administrative privileges.
The vulnerability requires no special exploit tools; simple SSH clients like PuTTY are sufficient to establish a connection.
According to the advisory released on GitHub, there is a dangerous misconfiguration that affects the entire Firebox firewall series.
| Aspect | Details |
| CVE ID | CVE-2025-59396 |
| Vendor | WatchGuard |
| Product | Firebox Series |
| Affected Component | SSH Service (Port 4118) |
| Attack Vector | Remote unauthenticated access |
| CVSS Impacts | RCE, Privilege Escalation, Information Disclosure |
WatchGuard Firebox Firewall Vulnerability
An unauthenticated remote attacker can retrieve sensitive network information, including ARP tables, network configurations, and user account details. They can also access feature keys and device location data.
More critically, attackers can modify or turn off firewall rules and security policies, effectively turning off network protections.
This opens the door to lateral movement throughout the internal network, allowing attackers to spread to other systems and exfiltrate valuable data.
In worst-case scenarios, attackers could completely interrupt network services or shut down critical infrastructure protected by the firewall.
GitHub-intimate organizations using WatchGuard Firebox devices should immediately check their configurations. Change default SSH credentials immediately if they haven’t been modified.
WatchGuard administrators should also restrict SSH access on port 4118 if not required, or limit it to authorized IP addresses only.
Check WatchGuard’s security advisories for firmware patches and follow their remediation guidance. This vulnerability highlights the persistent threat posed by default credentials in network security appliances.
Firewall devices, by their nature, protect critical network infrastructure; leaving them exposed with default passwords essentially defeats their entire purpose.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
