Watchguard Firebox: Risk from Default Admin Password

In Watchguard's Firebox firewalls, attackers can potentially gain administrative privileges with ease. The vulnerability was considered critical at first. The impact of the vulnerability described is now disputed.

The vulnerability entry is brief is quite concise: "The default configuration of WatchGuard Firebox devices through 2025-09-10 allows administrative access via SSH on port 4118 with the readwrite password for the admin account." (CVE-2025-59396 / EUVD-2025-38053, CVSS 9.8, Risk "critical"). The CERT-Bund assigned even the maximum score of CVSS 10 out of 10 for the vulnerability, has now retracted the entry after being notified by Watchguard. A more detailed error description indicates that it's not about obtaining a password, but rather that the "admin" access is by default set with the password "readwrite". Attackers from the network could therefore easily compromise networks protected by Watchguard Firebox in the default configuration.

Watchguard documents the default settings – attentive admins should therefore have resolved the problem themselves. According to the documentation, however, the firewalls do not enforce a change of access credentials when the setup wizards are run, but they do at least enable it. Watchguard says now: "A scenario where an administrator is instructed to change the default administrative credentials during the initial setup and they choose to re-use the default credentials does not constitute a vulnerability." As CNA responsible for the affected scope Watchguard has submitted a dispute for CVE-2025-59396 with the evidence provided.

Danger from Default Passwords

This evokes memories of the cheapest Chinese home routers with the username-password combination "admin:admin". These are often documented as well, but users tend not to change them. In the case of some widely used photovoltaic inverters, the problem is even more far-reaching – the default passwords cannot be changed at all for some of them.

Anyone operating Watchguard firewalls should check their access credentials and change them promptly if necessary. The documentation that describes the default passwords does not refer to specific models. Therefore, all models from the company seem to be affected. The error message leaves it open whether only devices up to September 10, 2025, were checked, or whether newer firmware versions have brought changes since then. The Changelogs for recent firmware from 09/17/2025, for example, only mention a fix for another, older security vulnerability.

Watchguard firewalls have recently been in the spotlight due to serious security vulnerabilities. In mid-September, for example, the manufacturer already warned of a critical vulnerability with VPN enabled-function. About a month later, around the end of November, worldwide, 70,000 Watchguard firewalls were still accessible from the internet and vulnerable to the vulnerability; in Germany alone, more than 7000 of them were affected.

(dmk)