WatchGuard Agent flaws let attackers gain SYSTEM privileges on Windows endpoints
5 min. read 
Published on
WatchGuard has fixed several high-severity vulnerabilities in WatchGuard Agent for Windows that could let attackers gain SYSTEM privileges or crash the agent service. The flaws affect WatchGuard Agent on Windows versions up to and including 1.25.02.0000.
The most serious issue involves two chained local privilege escalation vulnerabilities, tracked as CVE-2026-6787 and CVE-2026-6788. If an attacker already has low-privileged local access to a Windows machine, they could abuse the chain to run code with NT AUTHORITY\SYSTEM privileges.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
WatchGuard also fixed a separate privilege escalation bug in the patch management component and two stack-based buffer overflow flaws in the agent discovery service. All listed issues are resolved in WatchGuard Agent on Windows version 1.25.03.0000.
[TOC]
What WatchGuard fixed
WatchGuard published four advisories on May 6, 2026, covering five CVEs in its Windows agent. The issues affect endpoint environments where the WatchGuard Agent runs on Windows systems.
The privilege escalation bugs require local access. That means an attacker would first need a foothold on the machine, such as a compromised user account or malware running under limited privileges.
The denial-of-service flaws have a different attack path. WatchGuard says an unauthenticated attacker on the same local network could exploit the discovery service bugs to crash the agent service.
At a glance
| Item | Details |
|---|---|
| Affected product | WatchGuard Agent on Windows |
| Affected versions | 1.25.02.0000 and earlier |
| Fixed version | 1.25.03.0000 |
| Main impact | Local privilege escalation to SYSTEM and denial of service |
| Highest CVSS score | 8.5 |
| Workarounds | No workarounds listed by WatchGuard |
| Disclosure date | May 6, 2026 |
The SYSTEM privilege escalation chain is the biggest risk
CVE-2026-6787 and CVE-2026-6788 form the most important chain in this update. WatchGuard describes the issue as local privilege escalation to SYSTEM through chained agent service vulnerabilities.
NVD describes CVE-2026-6787 as a hard-coded cryptographic key issue that can allow code inclusion in an existing process. CVE-2026-6788 is an uncontrolled search path element issue that can allow the use of malicious files.
Together, these flaws matter because SYSTEM is the highest local privilege level on Windows. An attacker who reaches that level can disable protections, tamper with files, create persistence, and move from a limited compromise to full endpoint control.
Vulnerability details
| CVE | CVSS | Issue type | Potential impact |
|---|---|---|---|
| CVE-2026-6787 | 8.5 | Hard-coded cryptographic key | Can help enable code inclusion in an existing process as part of the privilege escalation chain. |
| CVE-2026-6788 | 8.5 | Uncontrolled search path element | Can allow malicious files to be used as part of the privilege escalation chain. |
| CVE-2026-41288 | 7.3 | Incorrect permission assignment | Can let an authenticated local user elevate privileges to NT AUTHORITY\SYSTEM. |
| CVE-2026-41286 | 7.1 | Stack-based buffer overflow | An unauthenticated attacker on the same local network can crash the agent service. |
| CVE-2026-41287 | 7.1 | Stack-based buffer overflow | An unauthenticated attacker on the same local network can crash the agent service. |
A separate patch management flaw also leads to SYSTEM
WatchGuard also fixed CVE-2026-41288, a privilege escalation vulnerability in the patch management component of the Windows agent.
The flaw comes from incorrect permission assignment for a resource. WatchGuard says an authenticated local user could exploit it to elevate privileges to NT AUTHORITY\SYSTEM.
This creates risk in any environment where a low-privileged account becomes compromised. The attacker may not need administrator rights at the start if the vulnerable agent remains installed.
Discovery service flaws can crash the agent
CVE-2026-41286 and CVE-2026-41287 affect the WatchGuard Agent discovery service on Windows. Both are stack-based buffer overflow vulnerabilities with a CVSS score of 7.1.
Unlike the local privilege escalation issues, these denial-of-service bugs can be triggered by an unauthenticated attacker on the same local network. WatchGuard says exploitation can crash the agent service.
A crashed security agent may reduce endpoint visibility and interrupt management functions. That makes the flaws relevant even though they do not provide SYSTEM access by themselves.
Why this matters for endpoint security
Endpoint security agents run with high privileges because they need to inspect processes, monitor activity, apply policy, and manage local protection features. That also makes them valuable targets when attackers already have a foothold.
If attackers can turn a trusted security agent into a privilege escalation path, they can use the tool’s own privileged position against the endpoint.
This is why agent updates should move quickly across managed Windows fleets. Delayed patching leaves a predictable local escalation path available to malware, insider threats, or attackers using stolen user accounts.
What administrators should do now
- Identify all Windows systems running WatchGuard Agent.
- Check whether any endpoints run version 1.25.02.0000 or earlier.
- Update affected systems to WatchGuard Agent on Windows version 1.25.03.0000.
- Prioritize shared workstations, servers, and high-value admin endpoints.
- Review local user accounts and remove unnecessary privileges.
- Monitor for unexpected agent crashes or repeated discovery service failures.
- Investigate suspicious child processes, service changes, and new scheduled tasks on affected hosts.
- Confirm update deployment through endpoint management reporting, not only through policy assignment.
No workaround means patching is the main fix
WatchGuard lists no workaround for the four advisories. That leaves the fixed Windows agent release as the main remediation path for affected organizations.
Network segmentation can still reduce exposure to the discovery service denial-of-service bugs. It cannot fully address the local privilege escalation issues once an attacker already has access to the endpoint.
Security teams should also review endpoint detection rules for local privilege escalation behavior. The update fixes the product flaw, but monitoring helps detect attempts that may have occurred before patching.
FAQ
The vulnerabilities affect WatchGuard Agent on Windows versions up to and including 1.25.02.0000.
WatchGuard Agent on Windows version 1.25.03.0000 fixes the listed vulnerabilities.
WatchGuard says an unauthenticated attacker on the same local network could exploit CVE-2026-41286 or CVE-2026-41287 to crash the agent service.
Yes. CVE-2026-6787 and CVE-2026-6788 can be chained for local privilege escalation to SYSTEM. CVE-2026-41288 can also allow an authenticated local user to elevate privileges to NT AUTHORITY\SYSTEM.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages