PatchSiren cyber security CVE debrief
CVE-2026-13728 WatchGuard CVE debrief
WatchGuard Fireware OS is vulnerable to using a hard-coded encryption key in exception circumstances on FireClusters, affecting Access Portal resource credentials. This issue impacts Fireware OS versions 12.1 through 12.12 and 2025.1 through 2026.2. Devices without Access Portal support or standalone Fireboxes not in a FireCluster are not affected. The vulnerability exists when running on FireClusters with the Access Portal feature enabled, and in exception circumstances, the OS may utilize a hard-coded encryption key for encrypting saved credentials of Access Portal resources.
- Vendor
- WatchGuard
- Product
- Fireware OS
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-03
- Original CVE updated
- 2026-07-09
- Advisory published
- 2026-07-03
- Advisory updated
- 2026-07-09
Who should care
Organizations using WatchGuard Fireware OS on FireClusters with Access Portal feature enabled should verify their configurations and upgrade to a patched version if necessary. This includes reviewing FireCluster configurations to ensure secure credential storage and monitoring for suspicious activity.
Technical summary
The vulnerability exists in WatchGuard Fireware OS when running on FireClusters with the Access Portal feature enabled. Specifically, in exception circumstances, the OS may utilize a hard-coded encryption key for encrypting saved credentials of Access Portal resources. The affected versions are Fireware OS 12.1 up to and including 12.12, and 2025.1 up to and including 2026.2. It is noted that devices not supporting Access Portal or standalone Fireboxes not deployed in a FireCluster are not impacted by this vulnerability. This vulnerability has a CVSS score of 5.9 and a severity of MEDIUM.
Defensive priority
Medium priority due to the specific conditions required for exploitation and the potential impact on credential security.
Recommended defensive actions
- Verify Fireware OS version and check if the device is a FireCluster with Access Portal enabled
- Consult vendor advisory for specific patching instructions
- Implement compensating controls such as monitoring for suspicious activity
- Review and update FireCluster configurations to ensure secure credential storage
- Track exceptions and retest remediated assets
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record and NVD details provide information on the vulnerability's scope and affected versions. Vendor advisory is available for mitigation steps. This vulnerability affects Fireware OS 12.1 up to and including 12.12 and 2025.1 up to and including 2026.2. Devices that do not support the Access Portal feature or standalone Fireboxes not deployed in a FireCluster are not affected. Evidence is limited, and defenders should verify their configurations and upgrade to a patched version if necessary.
Official resources
-
CVE-2026-13728 CVE record
CVE.org
-
CVE-2026-13728 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
5d1c2695-1a31-4499-88ae-e847036fd7e3 - Vendor Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-03T00:16:52.147Z and has not been modified since then.