WatchGuard Agent on Windows Multiple Vulnerabilities

On May 6, 2026, WatchGuard released security advisories addressing multiple vulnerabilities affecting the WatchGuard Agent on Windows, specifically versions 1.25.02.0000 and prior. These vulnerabilities include several privilege escalation flaws (CVE-2026-6787, CVE-2026-6788, CVE-2026-41288) that could allow a local attacker to gain SYSTEM privileges. Additionally, stack-based buffer overflow vulnerabilities (CVE-2026-41286, CVE-2026-41287) in the WatchGuard Agent Discovery Service could lead to a denial-of-service condition. Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code with elevated privileges or disrupt the normal operation of systems running the affected WatchGuard Agent.

Attack Chain

1. Attacker gains initial access to the target Windows system through existing credentials, phishing, or other means.
2. Attacker leverages CVE-2026-6787 or CVE-2026-6788, chained agent service vulnerabilities, to achieve local privilege escalation.
3. Attacker exploits CVE-2026-41288, another privilege escalation vulnerability, to further elevate privileges.
4. Alternatively, attacker targets the WatchGuard Agent Discovery Service by sending a specially crafted network request.
5. The malformed request triggers a stack-based buffer overflow (CVE-2026-41286 or CVE-2026-41287) within the Discovery Service.
6. The buffer overflow causes the Discovery Service to crash, leading to a denial-of-service condition.
7. With elevated privileges, the attacker installs malicious software, modifies system configurations, or steals sensitive data.
8. If denial-of-service is achieved, the targeted system becomes unavailable, disrupting business operations.

Impact

Successful exploitation of these vulnerabilities could have significant consequences. Privilege escalation could allow attackers to gain complete control over affected systems, leading to data breaches, malware infections, and system compromise. The denial-of-service vulnerabilities could disrupt business operations and negatively impact productivity. These vulnerabilities affect any system running WatchGuard Agent on Windows version 1.25.02.0000 and prior.

Recommendation

• Apply the necessary updates provided by WatchGuard to patch CVE-2026-6787, CVE-2026-6788, CVE-2026-41288, CVE-2026-41286, and CVE-2026-41287 on all systems running the WatchGuard Agent on Windows.
• Enable Sysmon process-creation logging to monitor for suspicious processes spawned by the WatchGuard Agent that may indicate exploitation of privilege escalation vulnerabilities to enhance detection capabilities.
• Deploy the Sigma rule “Detect WatchGuard Agent Discovery Service Crash” to identify potential denial of service attacks targeting the WatchGuard Agent.