Skip to main content

WatchGuard Fireware OS EUVDEUVD-2026-41458

| CVE-2026-13728 MEDIUM
Use of Hard-coded Credentials (CWE-798)
2026-07-02 WatchGuard GHSA-jw2p-m8jh-c458
5.9
CVSS 4.0 · Vendor: WatchGuard
Share

Severity by source

Vendor (WatchGuard) PRIMARY
5.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.8 MEDIUM

AC:H reflects the 'exception circumstances' trigger condition plus FireCluster-only deployment requirement; PR:H per CVSS 4.0 vector; S:C because decrypted Access Portal credentials directly impact downstream protected resource systems.

3.1 AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N

Primary rating from Vendor (WatchGuard).

CVSS VectorVendor: WatchGuard

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 23:51 vuln.today

DescriptionCVE.org

In exception circumstances, WatchGuard Fireware OS on a FireCluster may use a hard-coded encryption key to encrypt saved credentials for Access Portal resources.

This vulnerability affects Fireware OS 12.1 up to and including 12.12 and 2025.1 up to and including 2026.2. This vulnerability does not affect devices that do not support the Access Portal feature or standalone Fireboxes not deployed in a FireCluster.

AnalysisAI

WatchGuard Fireware OS deployed in FireCluster high-availability configurations falls back to a static, hard-coded encryption key to protect saved Access Portal credentials under unspecified exception circumstances, meaning any actor who can retrieve those encrypted credential stores can decrypt them offline using the known firmware key. Affected builds span Fireware OS 12.1 through 12.12 and 2025.1 through 2026.2; standalone Fireboxes and devices without Access Portal support are explicitly out of scope. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify FireCluster deployment with Access Portal enabled
Delivery
Acquire high-privilege Firebox management credentials
Exploit
Trigger or await exception circumstance activating hard-coded key
Execution
Extract encrypted Access Portal credential store
Persist
Decrypt offline using hard-coded firmware key
Impact
Authenticate to internal Access Portal resources

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following conditions simultaneously: (1) the target Firebox must be deployed in a FireCluster high-availability configuration - standalone Fireboxes are explicitly not affected; (2) the Access Portal feature must be enabled on the FireCluster with backend resource credentials configured and saved; (3) an 'exception circumstance' must have occurred that caused Fireware OS to invoke the hard-coded fallback encryption key rather than a dynamically generated one - the precise technical definition of these exceptional conditions is not disclosed in the available vendor advisory data, which is a meaningful gap in exploitability assessment; (4) the CVSS PR:H metric confirms the attacker must already possess high-privilege access to the Firebox management plane, file system, or credential storage location. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.9 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N reflects a high-confidentiality-impact vulnerability significantly constrained by deployment prerequisites and privilege requirements. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained high-privilege administrative access to a WatchGuard Firebox in a FireCluster deployment - through credential stuffing, phishing, or a separate management-plane vulnerability - extracts the Access Portal credential store from the file system after an exception circumstance has caused the hard-coded encryption key to be applied. The attacker then decrypts the credential blob entirely offline using the static key recovered from publicly available Fireware OS firmware, recovering plaintext credentials for all Access Portal-protected internal resources without any further interaction with the live device. …
Remediation Apply the vendor-released patch per WatchGuard security advisory WGSA-2026-00025 at https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00025; the exact patched Fireware OS version was not included in the available source data and must be confirmed directly from that advisory before deployment. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2015-5453 MEDIUM POC
6.5 Jul 08

Watchguard XCS 9.2 and 10.0 before build 150522 allow remote authenticated users to execute arbitrary commands via shell

CVE-2015-5452 HIGH POC
7.5 Jul 08

SQL injection vulnerability in Watchguard XCS 9.2 and 10.0 before build 150522 allows remote attackers to execute arbitr

CVE-2022-26318 CRITICAL POC
9.8 Mar 04

On WatchGuard Firebox and XTM appliances, an unauthenticated user can execute arbitrary code, aka FBX-22786. Rated criti

CVE-2018-10575 CRITICAL POC
9.8 Apr 30

An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Rated critical seve

CVE-2018-10577 HIGH POC
8.8 May 02

An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15, and AP300 devices w

CVE-2016-7089 HIGH POC
7.8 Aug 24

WatchGuard RapidStream appliances allow local users to gain privileges and execute arbitrary commands via a crafted ifco

CVE-2018-10576 HIGH POC
7.8 Apr 30

An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Rated high severity

CVE-2017-14616 HIGH POC
7.5 Sep 20

An FBX-5312 issue was discovered in WatchGuard Fireware before 12.0. Rated high severity (CVSS 7.5), this vulnerability

CVE-2017-8056 MEDIUM POC
5.3 Apr 22

WatchGuard Fireware v11.12.1 and earlier mishandles requests referring to an XML External Entity (XXE), in the XML-RPC a

CVE-2022-31790 HIGH POC
7.5 Sep 06

WatchGuard Firebox and XTM appliances allow an unauthenticated remote attacker to retrieve sensitive authentication serv

CVE-2020-10532 HIGH POC
7.5 Mar 12

The AD Helper component in WatchGuard Fireware before 5.8.5.10317 allows remote attackers to discover cleartext password

CVE-2017-14615 MEDIUM POC
6.1 Sep 20

An FBX-5313 issue was discovered in WatchGuard Fireware before 12.0. Rated medium severity (CVSS 6.1), this vulnerabilit

Share

EUVD-2026-41458 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy