Skip to main content

WatchGuard Agent EUVDEUVD-2026-27842

| CVE-2026-6788 HIGH
Uncontrolled Search Path Element (CWE-427)
2026-05-06 5d1c2695-1a31-4499-88ae-e847036fd7e3 GHSA-j336-jmmp-f6w9
8.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
May 06, 2026 - 17:02 EUVD
Analysis Generated
May 06, 2026 - 16:32 vuln.today

DescriptionCVE.org

Uncontrolled Search Path Element vulnerability in WatchGuard Agent on Windows allows Using Malicious Files.This issue affects WatchGuard Agent before 1.25.03.0000.

AnalysisAI

Local privilege escalation in WatchGuard Agent for Windows allows authenticated users to execute arbitrary code with elevated system privileges through DLL hijacking. The agent searches for dependencies in user-controllable directories, enabling attackers with standard user credentials to plant malicious DLLs that load when the service starts. WatchGuard has released version 1.25.03.0000 to address this uncontrolled search path vulnerability (CWE-427).

Technical ContextAI

This vulnerability exploits CWE-427 (Uncontrolled Search Path Element), commonly manifested as DLL hijacking or binary planting on Windows systems. The WatchGuard Agent service searches for required libraries in directories that low-privilege users can write to, such as the current working directory or user-writable PATH locations. When the service loads, it executes code from these attacker-controlled libraries with SYSTEM privileges. This attack class relies on Windows' default DLL search order, which checks user-accessible locations before secure system directories. The CVSS 4.0 vector confirms local attack vector (AV:L), low complexity (AC:L), and requires only low privileges (PR:L) with no user interaction (UI:N), making it straightforward for local attackers to exploit once they have initial access to the system.

RemediationAI

Upgrade WatchGuard Agent to version 1.25.03.0000 or later as documented in WatchGuard security advisory WGSA-2026-00013 (https://www.watchguard.com/wgrd-psirt/advisory/WGSA-2026-00013). Until patching is complete, implement the following compensating controls: restrict write permissions on all directories in the system PATH environment variable to administrators only, preventing standard users from placing malicious DLLs; enable Windows Attack Surface Reduction rules specifically blocking untrusted executable content from loading; configure WatchGuard Agent service to use a restricted working directory with administrator-only write access; monitor file creation events in common DLL search paths (current directory, Windows system directories) for unexpected library files. Note that disabling the agent itself eliminates the vulnerability but removes endpoint security protections, creating a different risk exposure that must be weighed against the exploitation likelihood in your environment.

CVE-2015-5453 MEDIUM POC
6.5 Jul 08

Watchguard XCS 9.2 and 10.0 before build 150522 allow remote authenticated users to execute arbitrary commands via shell

CVE-2015-5452 HIGH POC
7.5 Jul 08

SQL injection vulnerability in Watchguard XCS 9.2 and 10.0 before build 150522 allows remote attackers to execute arbitr

CVE-2022-26318 CRITICAL POC
9.8 Mar 04

On WatchGuard Firebox and XTM appliances, an unauthenticated user can execute arbitrary code, aka FBX-22786. Rated criti

CVE-2018-10575 CRITICAL POC
9.8 Apr 30

An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Rated critical seve

CVE-2018-10577 HIGH POC
8.8 May 02

An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15, and AP300 devices w

CVE-2016-7089 HIGH POC
7.8 Aug 24

WatchGuard RapidStream appliances allow local users to gain privileges and execute arbitrary commands via a crafted ifco

CVE-2018-10576 HIGH POC
7.8 Apr 30

An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Rated high severity

CVE-2017-14616 HIGH POC
7.5 Sep 20

An FBX-5312 issue was discovered in WatchGuard Fireware before 12.0. Rated high severity (CVSS 7.5), this vulnerability

CVE-2017-8056 MEDIUM POC
5.3 Apr 22

WatchGuard Fireware v11.12.1 and earlier mishandles requests referring to an XML External Entity (XXE), in the XML-RPC a

CVE-2022-31790 HIGH POC
7.5 Sep 06

WatchGuard Firebox and XTM appliances allow an unauthenticated remote attacker to retrieve sensitive authentication serv

CVE-2020-10532 HIGH POC
7.5 Mar 12

The AD Helper component in WatchGuard Fireware before 5.8.5.10317 allows remote attackers to discover cleartext password

CVE-2017-14615 MEDIUM POC
6.1 Sep 20

An FBX-5313 issue was discovered in WatchGuard Fireware before 12.0. Rated medium severity (CVSS 6.1), this vulnerabilit

Share

EUVD-2026-27842 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy