Two separate local privilege-escalation issues were disclosed in widely deployed Windows remote-access clients. WatchGuard published an advisory for NCP IPSec VPN Client as shipped with WatchGuard Mobile VPN with IPSec for Windows, where installation/update/uninstall actions can briefly open interactive cmd.exe windows running as SYSTEM; on older Windows versions, an attacker with local access can execute commands in that prompt to gain SYSTEM privileges and bypass administrative protections. WatchGuard states the issue affects versions up to 15.19 and is fixed in 15.33 (advisory WGSA-2026-00002, tracked as NCPVE-2025-0626).
Separately, reporting described a privilege-escalation weakness in Check Point Harmony SASE (Perimeter81) Windows client tracked as CVE-2025-9142, affecting versions below 12.2. The issue is attributed to insufficient validation of JWT values passed via a URI handler (perimeter81://) to a SYSTEM-privileged service component (Perimeter81.Service.exe), enabling directory traversal (e.g., ../../../) and file write/delete outside the intended certificate working directory; the described attack chain includes crafting a malicious URL, abusing a whitelisted auth domain, and using symlink/object-manager tricks to redirect certificate writes performed with SYSTEM privileges, potentially leading to full local compromise.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
WatchGuard published advisory WGSA-2026-00002 covering a privilege-escalation vulnerability in the NCP IPSec VPN Client MSI Installer, identified as NCPVE-2025-0626. No additional technical details were provided in the reference content.
In January 2026, details of the Check Point Harmony SASE Windows client privilege-escalation issue were publicly disclosed. Organizations were advised to upgrade to version 12.2 or later and apply hardening measures to reduce DLL injection and local abuse risk.
In November 2025, Check Point released Harmony SASE agent version 12.2 to fix CVE-2025-9142, which affected versions prior to 12.2. The update addressed a chain that could enable directory traversal, arbitrary file writes, and eventual SYSTEM-level code execution.
Check Point was notified in March 2025 about a local privilege-escalation vulnerability in the Harmony SASE Windows client (Perimeter81), later tracked as CVE-2025-9142. The flaw involved abuse of an unverified JWT in a URI handler/IPC path to influence SYSTEM-level certificate file writes.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
watchguard.com
Open sourcecybersecuritynews.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.