Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Uncontrolled Search Path Element vulnerability in WatchGuard Agent on Windows allows Using Malicious Files.This issue affects WatchGuard Agent before 1.25.03.0000.
AnalysisAI
Local privilege escalation in WatchGuard Agent for Windows allows authenticated users to execute arbitrary code with elevated system privileges through DLL hijacking. The agent searches for dependencies in user-controllable directories, enabling attackers with standard user credentials to plant malicious DLLs that load when the service starts. WatchGuard has released version 1.25.03.0000 to address this uncontrolled search path vulnerability (CWE-427).
Technical ContextAI
This vulnerability exploits CWE-427 (Uncontrolled Search Path Element), commonly manifested as DLL hijacking or binary planting on Windows systems. The WatchGuard Agent service searches for required libraries in directories that low-privilege users can write to, such as the current working directory or user-writable PATH locations. When the service loads, it executes code from these attacker-controlled libraries with SYSTEM privileges. This attack class relies on Windows' default DLL search order, which checks user-accessible locations before secure system directories. The CVSS 4.0 vector confirms local attack vector (AV:L), low complexity (AC:L), and requires only low privileges (PR:L) with no user interaction (UI:N), making it straightforward for local attackers to exploit once they have initial access to the system.
RemediationAI
Upgrade WatchGuard Agent to version 1.25.03.0000 or later as documented in WatchGuard security advisory WGSA-2026-00013 (https://www.watchguard.com/wgrd-psirt/advisory/WGSA-2026-00013). Until patching is complete, implement the following compensating controls: restrict write permissions on all directories in the system PATH environment variable to administrators only, preventing standard users from placing malicious DLLs; enable Windows Attack Surface Reduction rules specifically blocking untrusted executable content from loading; configure WatchGuard Agent service to use a restricted working directory with administrator-only write access; monitor file creation events in common DLL search paths (current directory, Windows system directories) for unexpected library files. Note that disabling the agent itself eliminates the vulnerability but removes endpoint security protections, creating a different risk exposure that must be weighed against the exploitation likelihood in your environment.
More in Watchguard
View allWatchguard XCS 9.2 and 10.0 before build 150522 allow remote authenticated users to execute arbitrary commands via shell
SQL injection vulnerability in Watchguard XCS 9.2 and 10.0 before build 150522 allows remote attackers to execute arbitr
On WatchGuard Firebox and XTM appliances, an unauthenticated user can execute arbitrary code, aka FBX-22786. Rated criti
An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Rated critical seve
An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15, and AP300 devices w
WatchGuard RapidStream appliances allow local users to gain privileges and execute arbitrary commands via a crafted ifco
An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Rated high severity
An FBX-5312 issue was discovered in WatchGuard Fireware before 12.0. Rated high severity (CVSS 7.5), this vulnerability
WatchGuard Fireware v11.12.1 and earlier mishandles requests referring to an XML External Entity (XXE), in the XML-RPC a
WatchGuard Firebox and XTM appliances allow an unauthenticated remote attacker to retrieve sensitive authentication serv
The AD Helper component in WatchGuard Fireware before 5.8.5.10317 allows remote attackers to discover cleartext password
An FBX-5313 issue was discovered in WatchGuard Fireware before 12.0. Rated medium severity (CVSS 6.1), this vulnerabilit
Same weakness CWE-427 – Uncontrolled Search Path Element
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27842
GHSA-j336-jmmp-f6w9