Use of Hard-coded Cryptographic Key in Fireware OS - CVE-2026-13728

 

Use of Hard-coded Cryptographic Key in Fireware OS - CVE-2026-13728

Published: July 3, 2026


Vulnerability identifier: #VU136894
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-13728
CWE-ID: CWE-321
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: WatchGuard
Affected software:
Fireware OS

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to use of a hard-coded encryption key in the Access Portal resource credential database when encrypting saved credentials for Access Portal resources. A remote privileged user can access credentials encrypted with the fallback key to disclose sensitive information.

Only FireCluster deployments are affected, and devices that do not support the Access Portal feature or standalone Fireboxes not deployed in a FireCluster are not vulnerable.


How to mitigate CVE-2026-13728

Install security update from vendor's website.

Sources