WatchGuard Firebox appliances, widely used to protect small- to medium-sized business networks, ship with a critical flaw in their default configuration through versions up to September 10, 2025.
Specifically, the SSH service on port 4118 remains enabled and accessible remotely, accepting the factory credentials of username “admin” and password “readwrite.”
This initial setup often remains unchanged in production environments, leaving devices wide open to exploitation.
Discovered by security researchers Chanakya Neelarapu and Mark Gibson, the vulnerability falls under the categories of misconfiguration and insecure defaults, enabling authentication bypass.
An attacker needs only a standard SSH client, such as PuTTY, to connect from anywhere on the internet, assuming the port is exposed common in many firewall deployments.
Once in, the intruder gains full administrative privileges, turning the Firebox into a gateway for deeper network compromise.
The impacts are severe and multifaceted. Attackers can extract sensitive data, including ARP tables, network configurations, user accounts, feature keys, and even physical device locations.
They might then tamper with firewall rules, turn off security policies, or escalate privileges to execute remote code.
This paves the way for lateral movement across the internal network, data exfiltration, or service disruptions. In essence, a single overlooked default can unravel an entire organization’s defenses, exposing it to ransomware, espionage, or worse.
WatchGuard’s Firebox series affects various models, with the SSH service on port 4118 as the vulnerable component.
While exact firmware versions remain under investigation, the default exposure applies broadly.
The CVE confirms high-severity consequences: remote code execution, privilege escalation, information disclosure, and network exposure.
To mitigate, WatchGuard urges immediate credential changes and SSH disablement where unnecessary.
This incident underscores a timeless lesson: defaults are for demos, not defense.
Regular configuration reviews and adherence to least-privilege principles remain essential for fortifying defenses against such low-hanging threats.
