Critical Vulnerability in WatchGuard VPN Client for Windows Grants SYSTEM-Level Access
A significant security flaw has been identified in WatchGuard’s Mobile VPN with IPSec client for Windows, potentially allowing local attackers to execute commands with SYSTEM-level privileges. This vulnerability, designated as WGSA-2026-00002, stems from the underlying software provided by NCP Engineering, which WatchGuard utilizes for its IPSec client.
Technical Details and Exploitation
The vulnerability arises during the software’s maintenance processes, including installation, updates, or uninstallation. During these operations, the MSI installer initiates command-line interfaces (cmd.exe) to perform background tasks. Notably, these command prompts operate with SYSTEM account rights—the highest privilege level on Windows systems.
On older Windows versions, these command windows are interactive rather than concealed. This interactivity creates an opportunity for local attackers or malicious insiders to intervene, interact with the open command prompt, and execute arbitrary commands. Since the parent process possesses SYSTEM rights, any command executed by the attacker inherits these elevated privileges, potentially leading to full system compromise.
The Common Vulnerability Scoring System (CVSS) assigns this flaw a base score of 6.3, categorizing it as Medium severity. However, the high impact ratings on Confidentiality, Integrity, and Availability indicate that successful exploitation could result in complete control over the affected system.
Affected Versions and Remediation
This vulnerability affects the WatchGuard Mobile VPN with IPSec client for Windows up to and including version 15.19. Security teams managing endpoints with this software should prioritize remediation, especially on legacy Windows systems where the interactive command prompt behavior is more prevalent.
Currently, no workarounds are available to mitigate this flaw without updating the software. WatchGuard and NCP have released a fix in the latest version. Administrators are advised to immediately upgrade all affected endpoints to WatchGuard Mobile VPN with IPSec client version 15.33 or higher. This update modifies the installer behavior to prevent the exposure of interactive command windows with elevated privileges.
