Critical WatchGuard Firebox Flaw (CVE-2025-59396, CVSS 9.8) Allows Unauthenticated Admin SSH Takeover via Default Credentials
Ddos 
A critical configuration flaw (CVE-2025-59396) has been discovered in WatchGuard Firebox devices, allowing remote attackers to gain unauthorized administrative access via SSH using default credentials. The vulnerability, rated CVSS 9.8, affects Firebox appliances with default settings that expose port 4118 for administrative access.
Security researchers Chanakya Neelarapu and Mark Gibson, who discovered the flaw, classified it as a “Misconfiguration / Insecure Defaults” vulnerability.
“The default configuration of WatchGuard Firebox devices through 2025-09-10 allows administrative access via SSH on port 4118 using the default credentials (admin:readwrite),” the researchers explains. “This configuration exposes the device to remote attackers who can gain full administrative access without prior authentication.”
The vulnerability stems from an insecure default configuration in the Firebox SSH service. When the device is first deployed, SSH access via port 4118 remains enabled with the built-in credentials admin:readwrite, providing full administrative privileges.
Attackers with network access to the device can connect using standard SSH tools such as PuTTY, OpenSSH, or MobaXterm, and instantly gain root-level access to the firewall and its management interface.
“An unauthenticated attacker can retrieve sensitive information such as ARP tables, network configurations, user accounts, feature keys, and device location data,” researchers wrote. “They can also modify or disable firewall rules and security policies, perform lateral movement within the internal network, and exfiltrate data or disrupt services.”
Once access is gained, the attacker effectively owns the firewall — the central security gateway for many enterprise and SMB networks. Exploiting this misconfiguration can lead to a complete compromise of the network it protects.
The researcher warns that attackers can not only disable protections but also pivot into the internal environment to execute further attacks.
Given the predictable port (4118) and publicly documented defaults, the vulnerability is likely to be exploited in mass scanning campaigns targeting unpatched or misconfigured Firebox devices exposed to the Internet.
Donate