Critical Security Update for WatchGuard Agent Windows Software

EXECUTIVE SUMMARY:

Critical vulnerabilities identified in the Windows-based agent software allow local attackers to achieve total system takeover by escalating privileges to the highest level. These flaws, which impact the core component responsible for endpoint management, necessitate immediate attention due to their potential for unauthorized control. Chained vulnerabilities allow standard users to bypass security boundaries, while additional flaws in patch management and discovery services pose further risks, with CVSS scores reaching up to 8.5. Users should prioritize updating to the latest software version, as these high-severity threats significantly compromise endpoint security and integrity.[emaillocker id="1283"]

• CVE-2026-6787: This vulnerability, assigned a high-severity CVSS 4.0 score of 8.5, represents a critical component of a chained attack vector that facilitates unauthorized privilege escalation. When exploited in conjunction with associated service flaws, it allows a standard local user to bypass security boundaries. The impact is severe, enabling a complete takeover of the local system with NT AUTHORITY\SYSTEM privileges. This risk is compounded by the core nature of the affected endpoint management agent.
• CVE-2026-6788: Functioning as a companion flaw to the previously noted vulnerability with a combined CVSS 4.0 score of 8.5, this issue is instrumental in the chain required for full system compromise. It enables the transition of unauthorized access from a standard user context to full system control. The exploitation risk is high for environments relying on this agent for security orchestration. Successfully leveraging this flaw results in persistent, elevated control over the local Windows environment.
• CVE-2026-41288: This vulnerability carries a CVSS score of 7.3 and affects the patch management component of the agent due to incorrect permission assignments for a resource. An authenticated local user can manipulate the service to elevate their privileges to SYSTEM. This is particularly concerning as it weaponizes a security-focused tool into an instrument for compromise. The risk involves the subversion of update mechanisms to gain unrestricted administrative access.
• CVE-2026-41286 and CVE-2026-41287: These vulnerabilities, assigned CVSS scores of 7.1, are located within the agent discovery service and represent stack-based buffer overflows that can be triggered by an unauthenticated attacker on a local network. By sending malicious buffers, an actor can cause the service to crash, resulting in a denial of service. This blinds the security agent, disables endpoint protection, and creates a window of opportunity for additional malicious activities. The exploitation risk remains high for organizations relying on the constant availability of the agent, as disabling the security agent through this method facilitates unmonitored lateral movement or further exploitation.

The complexity of these vulnerabilities, specifically the potential for full system takeover, presents a significant risk to endpoint security. Immediate deployment of the provided vendor patch is essential to restore the integrity of the management environment.

RECOMMENDATION:

• We recommend you to update WatchGuard Agent to version 1.25.03.0000.

REFERENCES:

The following reports contain further technical details:
https://securityonline.info/watchguard-agent-windows-privilege-escalation-cve-2026-6787-system-takeover/