CVE-2026-13728 PUBLISHED

WatchGuard Firebox Hardcoded Fallback Encryption Key in Access Portal Resource Credential Database

Assigner: WatchGuard
Reserved: 29.06.2026 Published: 02.07.2026 Updated: 02.07.2026

In exception circumstances, WatchGuard Fireware OS on a FireCluster may use a hard-coded encryption key to encrypt saved credentials for Access Portal resources.

This vulnerability affects Fireware OS 12.1 up to and including 12.12 and 2025.1 up to and including 2026.2. This vulnerability does not affect devices that do not support the Access Portal feature or standalone Fireboxes not deployed in a FireCluster.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N
CVSS Score: 5.9

Product Status

Vendor WatchGuard
Product Fireware OS
Versions Default: unaffected
  • affected from 12.1 to 12.12 (incl.)
  • affected from 2025.1 to 2026.2 (incl.)

Credits

  • Cody Sixteen finder

References

Problem Types

  • CWE-798 Use of Hard-coded Credentials CWE

Impacts

  • CAPEC-37 Retrieve Embedded Sensitive Data