Ddos 
Network security provider WatchGuard has issued a dual advisory addressing two distinct security vulnerabilities that could allow attackers to escalate privileges on Windows endpoints or siphon sensitive data from authentication servers. The flaws affect the Mobile VPN with IPSec client and the flagship Fireware OS.
The first issue targets the WatchGuard Mobile VPN with IPSec client for Windows, specifically the MSI installer provided by third-party vendor NCP. Tracked as NCPVE-2025-0626, this vulnerability allows a local attacker to trick the installation process into granting them full system rights.
The flaw exploits a momentary gap during the update or installation process. According to the advisory, “During certain actions such as installation, update, or uninstallation, command line windows (cmd.exe) are temporarily opened with the rights of the SYSTEM account”.
In older versions of Windows, an interactive user could potentially hijack these windows. “It is possible to execute any commands or programs with SYSTEM privileges in these interactive command prompts,” the report explains. This effectively breaks the security model of the OS, allowing a standard user to “bypass administrative protection mechanisms and gain unrestricted access to the system”.
Users running the client up to version 15.19 are vulnerable and should update to version 15.33 immediately.
The second, and potentially more far-reaching vulnerability, affects the WatchGuard Firebox itself. Tracked as CVE-2026-1498, this LDAP Injection flaw carries a CVSS score of 7.0 and strikes at the heart of identity management.
The vulnerability resides in the Fireware OS’s authentication interface. The advisory warns that “An LDAP Injection vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to retrieve sensitive information from a connected LDAP authentication server”.
By manipulating input fields on an exposed web interface, an attacker could query the backend directory without proper authorization. Even more concerning is the potential for authentication bypass. The report notes that “This vulnerability may also allow a remote attacker to authenticate as an LDAP user with a partial identifier if they additionally have that user’s valid passphrase”.
This LDAP flaw affects a broad range of Fireware OS versions, specifically 12.0 through 12.11.6 and 2025.1 through 2025.1.4.
WatchGuard has released fixed versions to plug the leak. Administrators are urged to upgrade to:
- Fireware OS 2026.1
- Fireware OS 12.11.7
- Fireware OS 12.5.13 (for T10/T15/T30/T50/M200/M300 models)
With one flaw opening the door to local system takeover and the other exposing directory secrets, this is a double-header update that security teams cannot afford to skip.
Related Posts:
- Urgent Django Update: Patches 3 Critical SQL Injections & DoS Risks
- High-Severity WatchGuard Flaws Risk VPN DoS and RCE via IKEv2 Memory Corruption
- CVE-2025-9242: Critical WatchGuard Flaw Allows Remote Code Execution
- WatchGuard Under Siege: Critical CVSS 9.3 Zero-Day Exploited in the Wild to Hijack Corporate Firewalls
- Critical WatchGuard Firebox Flaw (CVE-2025-59396, CVSS 9.8) Allows Unauthenticated Admin SSH Takeover via Default Credentials
- Critical WatchGuard Vulnerabilities Discovered: CVE-2024-6592 and CVE-2024-6593
Donate