Use of Hard-coded Cryptographic Key in Fireware OS - CVE-2026-13728
Published: July 3, 2026
Fireware OS
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to use of a hard-coded encryption key in the Access Portal resource credential database when encrypting saved credentials for Access Portal resources. A remote privileged user can access credentials encrypted with the fallback key to disclose sensitive information.
Only FireCluster deployments are affected, and devices that do not support the Access Portal feature or standalone Fireboxes not deployed in a FireCluster are not vulnerable.