WatchGuard Agent for Windows Flaws Enable Privilege Escalation and Discovery Service DoS
WatchGuard disclosed multiple vulnerabilities in WatchGuard Agent on Windows affecting version 1.25.02.0000 and earlier, including local privilege escalation flaws and stack-based buffer overflows in the Agent Discovery Service. The issues are tracked as CVE-2026-6787, CVE-2026-6788, CVE-2026-41288, CVE-2026-41286, and CVE-2026-41287, with one advisory describing a chained set of agent service weaknesses that can allow escalation to SYSTEM privileges.
Separate advisories also detail two buffer overflow variants in the Windows Agent Discovery Service that can trigger denial of service, expanding the impact beyond privilege abuse to service disruption. The Canadian Centre for Cyber Security echoed the vendor notice and urged organizations using affected WatchGuard Agent deployments to review the advisories and apply the vendor’s updates and mitigations.
How this story unfolded
2 events from the earliest known activity through the most recent confirmed update.
WatchGuard publishes advisories for multiple Windows Agent vulnerabilities
On 2026-05-06, WatchGuard disclosed multiple vulnerabilities affecting WatchGuard Agent on Windows 1.25.02.0000 and earlier. The advisories covered local privilege escalation flaws, including a chained service issue that could lead to SYSTEM privileges, and two stack-based buffer overflow denial-of-service variants in the Agent Discovery Service.
Canadian Centre for Cyber Security issues alert on WatchGuard advisories
On 2026-05-06, the Canadian Centre for Cyber Security published alert AV26-428 summarizing WatchGuard's disclosures. The notice urged users and administrators to review the vendor advisories and apply the necessary updates for CVE-2026-6787, CVE-2026-6788, CVE-2026-41288, CVE-2026-41286, and CVE-2026-41287.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
WatchGuard Agent Vulnerabilities Let Attackers Grant Full SYSTEM Privileges on Windows
cybersecuritynews.com
Open sourceWatchGuard security advisory (AV26-428) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceWatchGuard Agent on Windows Local Privilege Escalation to SYSTEM via Chained Agent Service Vulnerabilities | WatchGuard Technologies
watchguard.com
Open sourceWatchGuard Agent on Windows Privilege Escalation Vulnerability | WatchGuard Technologies
watchguard.com
Open sourceStack-based Buffer Overflow in WatchGuard Agent Discovery Service on Windows Causes Denial of Service - Variant B | WatchGuard Technologies
watchguard.com
Open sourceStack-based Buffer Overflow in WatchGuard Agent Discovery Service on Windows Causes Denial of Service - Variant A | WatchGuard Technologies
watchguard.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
WatchGuard Patches Mobile VPN with IPSec Windows Privilege Escalation and Fireware OS LDAP Injection
WatchGuard issued advisories for a **local privilege-escalation** flaw in *Mobile VPN with IPSec* for Windows (third-party NCP-based client), tracked as **WGSA-2026-00002 / NCPVE-2025-0626**. During installation, update, or uninstallation, the MSI process can spawn `cmd.exe` windows running as **SYSTEM**; on some/older Windows configurations these prompts may be interactive, enabling a local user to hijack the process and execute arbitrary commands with **SYSTEM-level** privileges. The issue is scored **CVSS 6.3 (Medium)** but can result in full host compromise; guidance indicates affected users should update the client (reported as vulnerable up to **v15.19**) to a fixed release (reported as **v15.33**). In a separate WatchGuard advisory, the company also addressed an **LDAP injection** vulnerability in **Fireware OS** on *Firebox* appliances, tracked as **CVE-2026-1498** with a reported **CVSS 7.0**. The flaw is described as residing in the authentication interface and could allow a remote, unauthenticated attacker to manipulate LDAP queries, potentially exposing or extracting sensitive data from authentication backends; organizations running Firebox devices were advised to apply the relevant Fireware OS updates to mitigate the risk.
Mar 21, 2026
WatchGuard Firebox flaws enable file write and code execution in Fireware OS
WatchGuard disclosed two high-severity vulnerabilities in **Fireware OS** affecting Firebox appliances, including a path traversal flaw in the **Web UI** tracked as `CVE-2026-3987` and an insecure deserialization issue in the **Access Portal** tracked as `CVE-2026-4266`. The Web UI bug can let a privileged, authenticated remote attacker perform an arbitrary file write and potentially execute code in the context of an elevated system process. The Access Portal flaw can lead to arbitrary code execution as the `portald` user through insecure deserialization. The issues affect multiple Fireware OS release lines, with `CVE-2026-3987` impacting versions `12.6.1` through `12.11.8` and `2025.1` through `2026.1.2`, while `CVE-2026-4266` affects versions `12.1` through `12.11.8` and `2025.1` through `2026.1.2`. WatchGuard said the deserialization bug is not a standalone remote exploit and requires prior write access to the local filesystem, making it more relevant for post-compromise chaining. The vulnerabilities are mapped to `CWE-22` and `CWE-502`, respectively, and WatchGuard published vendor guidance including advisory `WGSA-2026-00009`; Firebox models without Access Portal support, such as the **T-15** and **T-35**, are not affected by the Access Portal issue.
Apr 2, 2026
WatchGuard Fireware OS Vulnerabilities in Firebox Appliances
WatchGuard published security advisories for multiple **Fireware OS** vulnerabilities affecting **Firebox** appliances and related deployments, and the Canadian Centre for Cyber Security urged organizations to apply updates. The issues include an **out-of-bounds write** that could allow a privileged, authenticated administrator to achieve **root-level arbitrary code execution** via an exposed management interface (**CVE-2026-3342**), and a **filesystem integrity check bypass** that could allow an attacker to maintain **limited persistence** by using a maliciously crafted firmware update package (**CVE-2026-3344**). A separate advisory also notes a **reflected XSS** issue in the Fireware Web UI (**CVE-2026-3343**). Affected versions span multiple Fireware OS branches, including **12.0–12.11.7**, **12.5.9–12.5.16** (T15/T35 models), and **2025.1–2026.1.1**, with additional impact noted for **11.x** in the out-of-bounds write advisory (11.x is end-of-life). WatchGuard’s fixes are available in **12.11.8**, **12.5.17**, and **2026.1.2** (depending on branch/model), and no workaround was listed for the integrity-check bypass or out-of-bounds write issues; organizations should prioritize patching and ensure management interfaces are not unnecessarily exposed.
Apr 1, 2026