WatchGuard Patches Mobile VPN with IPSec Windows Privilege Escalation and Fireware OS LDAP Injection
WatchGuard issued advisories for a local privilege-escalation flaw in Mobile VPN with IPSec for Windows (third-party NCP-based client), tracked as WGSA-2026-00002 / NCPVE-2025-0626. During installation, update, or uninstallation, the MSI process can spawn cmd.exe windows running as SYSTEM; on some/older Windows configurations these prompts may be interactive, enabling a local user to hijack the process and execute arbitrary commands with SYSTEM-level privileges. The issue is scored CVSS 6.3 (Medium) but can result in full host compromise; guidance indicates affected users should update the client (reported as vulnerable up to v15.19) to a fixed release (reported as v15.33).
In a separate WatchGuard advisory, the company also addressed an LDAP injection vulnerability in Fireware OS on Firebox appliances, tracked as CVE-2026-1498 with a reported CVSS 7.0. The flaw is described as residing in the authentication interface and could allow a remote, unauthenticated attacker to manipulate LDAP queries, potentially exposing or extracting sensitive data from authentication backends; organizations running Firebox devices were advised to apply the relevant Fireware OS updates to mitigate the risk.
Sources
Related Stories
Local Privilege Escalation Flaws in Enterprise VPN/SASE Windows Clients
Two separate local privilege-escalation issues were disclosed in widely deployed Windows remote-access clients. WatchGuard published an advisory for **NCP IPSec VPN Client** as shipped with *WatchGuard Mobile VPN with IPSec* for Windows, where installation/update/uninstall actions can briefly open interactive `cmd.exe` windows running as **SYSTEM**; on older Windows versions, an attacker with local access can execute commands in that prompt to gain **SYSTEM** privileges and bypass administrative protections. WatchGuard states the issue affects versions up to **15.19** and is fixed in **15.33** (advisory **WGSA-2026-00002**, tracked as **NCPVE-2025-0626**). Separately, reporting described a privilege-escalation weakness in **Check Point Harmony SASE (Perimeter81) Windows client** tracked as **CVE-2025-9142**, affecting versions **below 12.2**. The issue is attributed to insufficient validation of **JWT** values passed via a URI handler (`perimeter81://`) to a SYSTEM-privileged service component (`Perimeter81.Service.exe`), enabling directory traversal (e.g., `../../../`) and file write/delete outside the intended certificate working directory; the described attack chain includes crafting a malicious URL, abusing a whitelisted auth domain, and using symlink/object-manager tricks to redirect certificate writes performed with SYSTEM privileges, potentially leading to full local compromise.
1 months ago
WatchGuard Fireware OS Vulnerabilities in Firebox Appliances
WatchGuard published security advisories for multiple **Fireware OS** vulnerabilities affecting **Firebox** appliances and related deployments, and the Canadian Centre for Cyber Security urged organizations to apply updates. The issues include an **out-of-bounds write** that could allow a privileged, authenticated administrator to achieve **root-level arbitrary code execution** via an exposed management interface (**CVE-2026-3342**), and a **filesystem integrity check bypass** that could allow an attacker to maintain **limited persistence** by using a maliciously crafted firmware update package (**CVE-2026-3344**). A separate advisory also notes a **reflected XSS** issue in the Fireware Web UI (**CVE-2026-3343**). Affected versions span multiple Fireware OS branches, including **12.0–12.11.7**, **12.5.9–12.5.16** (T15/T35 models), and **2025.1–2026.1.1**, with additional impact noted for **11.x** in the out-of-bounds write advisory (11.x is end-of-life). WatchGuard’s fixes are available in **12.11.8**, **12.5.17**, and **2026.1.2** (depending on branch/model), and no workaround was listed for the integrity-check bypass or out-of-bounds write issues; organizations should prioritize patching and ensure management interfaces are not unnecessarily exposed.
2 weeks agoCritical Remote Code Execution Vulnerability in WatchGuard Fireware OS VPN (CVE-2025-9242)
A critical security vulnerability, tracked as CVE-2025-9242, was discovered in WatchGuard Fireware OS, which powers WatchGuard’s Firebox network security appliances. This flaw is an out-of-bounds write vulnerability in the iked process, specifically within the function 'ike2_ProcessPayload_CERT' in the file 'src/ike/iked/v2/ike2_payload_cert.c'. The vulnerability arises due to a missing length check on the identification buffer, allowing a remote, unauthenticated attacker to trigger a stack-based buffer overflow. Exploitation of this flaw enables arbitrary code execution during the IKE_SA_AUTH phase of the IKEv2 handshake, which is used to establish VPN tunnels. The vulnerability affects both mobile user VPNs and branch office VPNs configured with dynamic gateway peers, making it a significant risk for organizations relying on these features. Fireware OS versions 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3, and 2025.1 are impacted, with fixes released in 2025.1.1, 12.11.4, 12.3.1_Update3 (FIPS-certified), and 12.5.13 for specific models. The 11.x branch has reached end-of-life and is no longer supported. Security researchers, including McCaulay Hudson of watchTowr Labs, highlighted that the vulnerability is particularly attractive to ransomware groups due to its remote, unauthenticated nature and the fact that it targets internet-exposed perimeter appliances. WatchGuard’s Fireware OS is widely deployed, protecting over 250,000 small and midsize enterprises and more than 10 million endpoints globally, amplifying the potential impact of this vulnerability. The flaw was disclosed and patched following responsible disclosure, with WatchGuard issuing an advisory and urging customers to update affected devices immediately. The vulnerability underscores the ongoing risk posed by classic buffer overflow issues, even in modern enterprise-grade security appliances. Researchers were able to reproduce the exploit, demonstrating the ease with which attackers could compromise vulnerable systems. The lack of mainstream exploit mitigations in the affected code path further increases the risk of successful exploitation. Organizations using WatchGuard Fireware OS are advised to review their VPN configurations, apply the latest patches, and consider additional monitoring for signs of exploitation. The incident highlights the importance of timely patch management and the persistent threat posed by memory safety vulnerabilities in critical infrastructure.
5 months ago