The portald daemon (WatchGuard Authentication Portal) contains a hardcoded Fernet symmetric encryption key embedded directly in compiled Python bytecode. This key is used to encrypt Clientless VPN user credentials (usernames and passwords) stored on disk. Because the key is static and identical across all Firebox deployments, any attacker who obtains the credentials file can trivially decrypt its contents — without knowing any device-specific secret. Below you'll find the details...
A logic error in the FCGEd25519.verify_key_pair() method within the newly introduced fcgatewayd daemon (Firebox 12.12) causes the function to incorrectly return False when both an Ed25519 private key and public key are present and valid. below you'll find all the details. Here we go...
Due to lack of response and breaking all the rules of responsible disclosure by WatchGuard and HackerOne - below you'll find full disclosure for one of the bugs I found few weeks ago in WatchGuard appliance (12.11 and 12.12). Here we go...
Since January 2026 to April 2026, I reported a security vulnerabilities through the vendor's HackerOne program in accordance with the responsible disclosure process.
When performing Reverse Engineering or binary analysis, one of the most common questions is: "Can user-controlled data reach a potentially dangerous function?" Let's try...
Some time ago I wrote a post and a small script to run a brute force attack against FortiGate appliances. (Link to that post you can find here). This time I decided to check if similar bug is present in latest WatchGuard appliance (FireboxV, version 12.12). Below you'll find the details and poc code to test it in your own LAB. Below you'll find more details about it. Here we go...
When you're doing Active Directory pentesting on a tight schedule, running SharpHound manually and then clicking through BloodHound's UI gets old fast. BHADGUI started as a simple wrapper and evolved into something more useful.
Reactor is an 'easy' Linux CTF machine from Season 11 at Hack The Box platform. Few days ago I decided to check it. Below you'll find more details about it. Here we go...
Some time ago, I was searching online for information about vulnerabilities in popular networking devices. One of the links I came across concerned the CVE-2025-0116 vulnerability related to the handling of the LLDP (Link Layer Discovery Protocol) by Palo Alto devices." Intrigued by the description, I decided to check how it looks on my own device in a home lab environment. Below you'll find some details about it. Here w go...
Few days ago I posted some notes about the bug found in January in Palo Alto VM. Today you'll find some details about a working poc for Metasploit created for this bug. Here we go...
