WATCHGUARD has issued a dual advisory addressing two separate flaws that could enable privilege escalation on Windows endpoints or data exposure from an LDAP authentication server, affecting the Mobile VPN with IPSec client and Fireware OS.
The first issue concerns the Windows MSI installer supplied by third‑party NCP, tracked as NCPVE-2025-0626, which could let a local attacker gain full system rights by exploiting a momentary gap during installation or update, when cmd[.]exe windows are temporarily opened with SYSTEM privileges.
The second flaw, tracked as CVE-2026-1498, is an LDAP injection vulnerability in Fireware OS’s authentication interface that could allow a remote unauthenticated attacker to retrieve sensitive information and potentially authenticate as an LDAP user with a partial identifier if they have that user’s passphrase; it affects Fireware OS versions 12.0–12.11.6 and 2025.1–2025.1.4.
WatchGuard has released fixed versions, with guidance to upgrade to Fireware OS 2026.1, Fireware OS 12.11.7, or Fireware OS 12.5.13 for specific models; administrators are urged to apply these updates promptly. According to WatchGuard advisory, “During certain actions such as installation, update, or uninstallation, command line windows (cmd[.]exe) are temporarily opened with the rights of the SYSTEM account,” underscoring the potential impact of the PrivEsc flaw.