CVE-2025-59396 – WatchGuard Firebox Default Configuration Allows Unauthorized SSH Access via Port 4118
Description
The default configuration of WatchGuard Firebox devices through 2025-09-10 allows administrative access via SSH on port 4118 using the default credentials (admin:readwrite). This configuration exposes the device to remote attackers who can gain full administrative access without prior authentication.
Impact
An unauthenticated attacker can:

Retrieve sensitive information such as ARP tables, network configurations, user accounts, feature keys, and device location data.
Modify or disable firewall rules and security policies.
Perform lateral movement within the internal network.
Exfiltrate data or disrupt services.

This results in a complete compromise of the Firebox appliance and the network it protects.
Vulnerability Type

Misconfiguration / Insecure Defaults
Authentication Bypass via Default Credentials

Attack Vector
Remote access via SSH on port 4118 using:

Username: admin
Password: readwrite

Tools like PuTTY or any SSH client can be used to exploit this vulnerability.
Affected Product

Vendor: WatchGuard
Product: Firebox series (specific models and firmware versions TBD)
Component: SSH Service (Port 4118)
Status: Exposed by default

Discoverers

Chanakya Neelarapu
Mark Gibson

CVE ID

CVE-2025-59396

Impacts

✅ Remote Code Execution
✅ Privilege Escalation
✅ Information Disclosure
✅ Network Exposure and Lateral Movement

Reference

https://www.watchguard.com/wgrd-products/firewalls