WatchGuard issued advisories for a local privilege-escalation flaw in Mobile VPN with IPSec for Windows (third-party NCP-based client), tracked as WGSA-2026-00002 / NCPVE-2025-0626. During installation, update, or uninstallation, the MSI process can spawn cmd.exe windows running as SYSTEM; on some/older Windows configurations these prompts may be interactive, enabling a local user to hijack the process and execute arbitrary commands with SYSTEM-level privileges. The issue is scored CVSS 6.3 (Medium) but can result in full host compromise; guidance indicates affected users should update the client (reported as vulnerable up to v15.19) to a fixed release (reported as v15.33).
In a separate WatchGuard advisory, the company also addressed an LDAP injection vulnerability in Fireware OS on Firebox appliances, tracked as CVE-2026-1498 with a reported CVSS 7.0. The flaw is described as residing in the authentication interface and could allow a remote, unauthenticated attacker to manipulate LDAP queries, potentially exposing or extracting sensitive data from authentication backends; organizations running Firebox devices were advised to apply the relevant Fireware OS updates to mitigate the risk.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
To remediate CVE-2026-1498, WatchGuard recommended upgrading Firebox appliances to fixed Fireware OS releases including 2026.1, 12.11.7, and 12.5.13 for applicable models. These updates address the LDAP injection exposure in the web authentication interface.
WatchGuard also published details of CVE-2026-1498, an LDAP injection flaw in the Fireware OS authentication interface that could let a remote unauthenticated attacker retrieve sensitive information from a connected LDAP server and potentially authenticate as an LDAP user with a partial identifier if the passphrase is known. Affected versions include Fireware OS 12.0 through 12.11.6 and 2025.1 through 2025.1.4.
WatchGuard said the Windows VPN client privilege-escalation issue was fixed and advised customers to upgrade to Mobile VPN with IPSec client version 15.33 or later, with no workaround other than updating. The fix addresses the installer-related command execution risk on affected Windows systems.
WatchGuard issued advisory WGSA-2026-00002 for a local privilege-escalation vulnerability in the Mobile VPN with IPSec client for Windows, traced to NCP-provided MSI installer behavior that can expose interactive cmd.exe windows with SYSTEM privileges during install, update, or uninstall. The flaw affects client versions up to and including 15.19.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.