Local Privilege Escalation Flaws in Enterprise VPN/SASE Windows Clients
Two separate local privilege-escalation issues were disclosed in widely deployed Windows remote-access clients. WatchGuard published an advisory for NCP IPSec VPN Client as shipped with WatchGuard Mobile VPN with IPSec for Windows, where installation/update/uninstall actions can briefly open interactive cmd.exe windows running as SYSTEM; on older Windows versions, an attacker with local access can execute commands in that prompt to gain SYSTEM privileges and bypass administrative protections. WatchGuard states the issue affects versions up to 15.19 and is fixed in 15.33 (advisory WGSA-2026-00002, tracked as NCPVE-2025-0626).
Separately, reporting described a privilege-escalation weakness in Check Point Harmony SASE (Perimeter81) Windows client tracked as CVE-2025-9142, affecting versions below 12.2. The issue is attributed to insufficient validation of JWT values passed via a URI handler (perimeter81://) to a SYSTEM-privileged service component (Perimeter81.Service.exe), enabling directory traversal (e.g., ../../../) and file write/delete outside the intended certificate working directory; the described attack chain includes crafting a malicious URL, abusing a whitelisted auth domain, and using symlink/object-manager tricks to redirect certificate writes performed with SYSTEM privileges, potentially leading to full local compromise.
Related Entities
Vulnerabilities
Affected Products
Sources
Related Stories
WatchGuard Patches Mobile VPN with IPSec Windows Privilege Escalation and Fireware OS LDAP Injection
WatchGuard issued advisories for a **local privilege-escalation** flaw in *Mobile VPN with IPSec* for Windows (third-party NCP-based client), tracked as **WGSA-2026-00002 / NCPVE-2025-0626**. During installation, update, or uninstallation, the MSI process can spawn `cmd.exe` windows running as **SYSTEM**; on some/older Windows configurations these prompts may be interactive, enabling a local user to hijack the process and execute arbitrary commands with **SYSTEM-level** privileges. The issue is scored **CVSS 6.3 (Medium)** but can result in full host compromise; guidance indicates affected users should update the client (reported as vulnerable up to **v15.19**) to a fixed release (reported as **v15.33**). In a separate WatchGuard advisory, the company also addressed an **LDAP injection** vulnerability in **Fireware OS** on *Firebox* appliances, tracked as **CVE-2026-1498** with a reported **CVSS 7.0**. The flaw is described as residing in the authentication interface and could allow a remote, unauthenticated attacker to manipulate LDAP queries, potentially exposing or extracting sensitive data from authentication backends; organizations running Firebox devices were advised to apply the relevant Fireware OS updates to mitigate the risk.
1 months agoLocal Privilege Escalation Vulnerabilities in Windows Management Tools
A critical vulnerability in the JumpCloud Remote Assist for Windows agent (CVE-2025-34352) allows a standard user on a company-managed device to gain full, persistent SYSTEM-level control. The flaw, discovered by XM Cyber, arises from the agent's uninstallation process, which performs privileged file operations in a user-controlled temporary folder. This enables local users to exploit the uninstall routine to overwrite or delete sensitive system files, resulting in either local privilege escalation or denial of service. Over 180,000 organizations using JumpCloud are potentially at risk until the issue is remediated. Separately, Microsoft’s Windows Admin Center (WAC) is affected by a local privilege escalation vulnerability (CVE-2025-64669) due to insecure directory permissions on `C:\ProgramData\WindowsAdminCenter`. Standard users can write to this directory, which is also accessed by services running with elevated privileges, allowing attackers to exploit extension uninstall mechanisms or DLL hijacking to obtain SYSTEM-level access. Both vulnerabilities highlight the risks posed by improper privilege separation and insecure file system permissions in widely deployed Windows management tools.
3 months ago
Microsoft Patches Windows RasMan DoS and Windows Error Reporting Privilege Escalation
Microsoft released fixes for multiple Windows local vulnerabilities affecting core services used in enterprise environments. One issue in the **Remote Access Connection Manager (RasMan)** service was exploited to trigger a local **denial-of-service (DoS)** by crashing the remote access service, which can disrupt **VPN connectivity** and interrupt remote access workflows on unpatched systems; Microsoft described the condition as allowing an “unauthorized attacker to deny service locally.” Separately, Microsoft patched **CVE-2026-20817**, a **Windows Error Reporting Service** (*wersvc.dll*) local privilege escalation that can allow a standard user to obtain **SYSTEM-level** execution via ALPC messaging and insufficient authorization checks in request handling (notably around `CWerService::SvcElevatedLaunch`). Reporting indicates the service could be coerced into creating a new token derived from the WER service’s SYSTEM token (with `SeTcbPrivilege` removed but other powerful rights retained), enabling high-impact post-exploitation actions such as credential theft and full host takeover; a **proof-of-concept (PoC)** was also reported as available.
1 months ago