WatchGuard has released a critical security update for its Mobile VPN with IPSec client for Windows to address a privilege escalation vulnerability.
The flaw, originating in the underlying software provided by NCP engineering, allows local attackers to execute arbitrary commands with the highest available privileges on a compromised machine.
The vulnerability is tracked as NCPVE-2025-0626 (WatchGuard Advisory WGSA-2026-00002).
It affects the WatchGuard Mobile VPN with IPSec client for Windows, specifically versions 15.19 and older.
The issue resides within the MSI installer process used during the software’s lifecycle management.
Technical Analysis
The security defect manifests during specific administrative actions, including the installation, update, or uninstallation of the VPN client.
During these processes, the application temporarily spawns command-line windows (cmd.exe) running under the SYSTEM account.
On older versions of Windows, these command prompts are interactive. This creates a race condition window where a local attacker with low-level privileges can interact with the open command prompt.
By doing so, they can execute arbitrary programs or commands that inherit the SYSTEM rights.
This successfully bypasses administrative protection mechanisms, granting the attacker unrestricted control over the endpoint.
The vulnerability carries a CVSS v4.0 score of 6.3 (Medium). While the attack requires local access and user interaction (Low Privileges required), the impact of a successful exploit is high regarding System Confidentiality, Integrity, and Availability.
WatchGuard and NCP have released a patch to close this security gap. The vulnerability is resolved in the WatchGuard Mobile VPN with IPSec client for Windows version 15.33.
Security administrators and SOC teams are advised to identify endpoints running vulnerable versions of the IPSec client and deploy the version 15.33 update immediately.
There are no workarounds available for this flaw, patching is the only viable mitigation.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.