WatchGuard Firebox reported having well-known default credentials, vendor says by design
Take action: WatchGuard says this isn't a vulnerability but unchanged default passwords will still get you hacked. If you have WatchGuard Firebox firewalls, immediately verify that you've changed the default "admin/readwrite" and "status/readonly" SSH credentials on port 4118. These are well-known defaults that attackers can easily exploit. Make sure to restrict SSH access to standard port and to 4118 to trusted management networks only.
Learn More
A security concern affecting WatchGuard Firebox firewall devices has been reported about a default credential flaw in all devices.
The original flaw was tracked as CVE-2025-59396 (CVSS score 9.8), a default configuration of WatchGuard Firebox devices allowed administrative access via SSH on port 4118 with the "readwrite" password for the "admin" account. This configuration would theoretically expose devices to remote attackers who could gain full administrative access.
WatchGuard rejected the vulnerability just four days later on November 10, 2025, with the explicit designation "Not a security vulnerability". WatchGuard's rejection clarifies that the reported issue represents documented default configuration settings that administrators are expected to change during the device setup process, rather than a genuine security flaw requiring patching.
The factory-default credentials documented by WatchGuard include two built-in accounts: the "status" account (read-only) with the default password "readonly," and the "admin" account (read/write) with the default password "readwrite." WatchGuard's official documentation explicitly describes the default credentials and provides clear warnings that administrators must change them during initial setup.
The CVE entry was modified by WatchGuard Technologies on November 10, 2025, changing its status from an active vulnerability to rejected, with the official reason listed as "Not a security vulnerability."
Despite the official rejection of CVE-2025-59396 as a security vulnerability, it's still a security consideration. Administrators bear responsibility for properly securing devices during initial configuration, including changing all default credentials before deployment into production environments.
Organizations operating WatchGuard Firebox firewalls should immediately verify that all devices have had their default credentials changed. Network access control policies should restrict SSH access on port 4118 to authorized management networks only.
