Search

Find a vulnerability

Search criteria

    6 vulnerabilities found for mobile_vpn_with_ssl by watchguard

    CVE-2026-13079 (GCVE-0-2026-13079)

    Vulnerability from nvd – Published: 2026-07-02 23:07 – Updated: 2026-07-07 03:56
    VLAI
    Title
    WatchGuard Mobile VPN with SSL Windows Client Local Privilege Escalation
    Summary
    A local privilege escalation vulnerability in the WatchGuard Mobile VPN with SSL client for Windows allows a local attacker to escalate their privileges to NT AUTHORITY\SYSTEM on the machine where the client is installed. This issue affects the Mobile VPN with SSL client for Windows up to and including 2026.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-732 - Incorrect Permission Assignment for Critical Resource
    Assigner
    References
    Impacted products
    Vendor Product Version
    WatchGuard Fireware OS Affected: 12.0 , ≤ 12.12 (semver)
    Affected: 2025.1 , ≤ 2026.2 (semver)
    Create a notification for this product.
    Credits
    Paul Arzelier, Truesec
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-13079",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-06T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-07T03:56:26.251Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Fireware OS",
              "vendor": "WatchGuard",
              "versions": [
                {
                  "lessThanOrEqual": "12.12",
                  "status": "affected",
                  "version": "12.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "2026.2",
                  "status": "affected",
                  "version": "2025.1",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:watchguard:fireware_os:*:*:*:*:*:*:*:12.0",
                      "versionEndIncluding": "12.12",
                      "versionStartIncluding": "12.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:watchguard:fireware_os:*:*:*:*:*:*:*:2025.1",
                      "versionEndIncluding": "2026.2",
                      "versionStartIncluding": "2025.1",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Paul Arzelier, Truesec"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A local privilege escalation vulnerability in the WatchGuard Mobile VPN with SSL client for Windows allows a local attacker to escalate their privileges to NT AUTHORITY\\SYSTEM on the machine where the client is installed.\u003cbr\u003e\u003cbr\u003eThis issue affects the Mobile VPN with SSL client for Windows up to and including 2026.2."
                }
              ],
              "value": "A local privilege escalation vulnerability in the WatchGuard Mobile VPN with SSL client for Windows allows a local attacker to escalate their privileges to NT AUTHORITY\\SYSTEM on the machine where the client is installed.\n\nThis issue affects the Mobile VPN with SSL client for Windows up to and including 2026.2."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-17",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-17 Using Malicious Files"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-732",
                  "description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-02T23:07:30.489Z",
            "orgId": "5d1c2695-1a31-4499-88ae-e847036fd7e3",
            "shortName": "WatchGuard"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00027"
            }
          ],
          "source": {
            "advisory": "WGSA-2026-00027",
            "defect": [
              "FBX-32881"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "WatchGuard Mobile VPN with SSL Windows Client Local Privilege Escalation",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "5d1c2695-1a31-4499-88ae-e847036fd7e3",
        "assignerShortName": "WatchGuard",
        "cveId": "CVE-2026-13079",
        "datePublished": "2026-07-02T23:07:30.489Z",
        "dateReserved": "2026-06-23T18:02:48.522Z",
        "dateUpdated": "2026-07-07T03:56:26.251Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-4944 (GCVE-0-2024-4944)

    Vulnerability from nvd – Published: 2024-07-09 02:23 – Updated: 2024-08-01 20:55
    VLAI
    Title
    Mobile VPN with SSL Local Privilege Escalation Vulnerability
    Summary
    A local privilege escalation vlnerability in the WatchGuard Mobile VPN with SSL client on Windows enables a local user to execute arbitrary commands with elevated privileged.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
    Assigner
    Impacted products
    Vendor Product Version
    WatchGuard Mobile VPN with SSL Client Affected: 0 , ≤ 12.10 (semver)
    Create a notification for this product.
    watchguard mobile_vpn_with_ssl Affected: 0 , < 12.10.4 (custom)
        cpe:2.3:a:watchguard:mobile_vpn_with_ssl:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-06-14 05:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:watchguard:mobile_vpn_with_ssl:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "mobile_vpn_with_ssl",
                "vendor": "watchguard",
                "versions": [
                  {
                    "lessThan": "12.10.4",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-4944",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-09T15:16:53.320044Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-09T15:19:03.572Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:55:10.311Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00010"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows"
              ],
              "product": "Mobile VPN with SSL Client",
              "vendor": "WatchGuard",
              "versions": [
                {
                  "lessThanOrEqual": "12.10",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2024-06-14T05:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A local privilege escalation vlnerability in the WatchGuard Mobile VPN with SSL client on Windows enables a local user to execute arbitrary commands with elevated privileged.\u003cbr\u003e"
                }
              ],
              "value": "A local privilege escalation vlnerability in the WatchGuard Mobile VPN with SSL client on Windows enables a local user to execute arbitrary commands with elevated privileged.\n"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-233",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-233 Privilege Escalation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-77",
                  "description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-09T02:23:25.039Z",
            "orgId": "5d1c2695-1a31-4499-88ae-e847036fd7e3",
            "shortName": "WatchGuard"
          },
          "references": [
            {
              "url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00010"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Mobile VPN with SSL Local Privilege Escalation Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "5d1c2695-1a31-4499-88ae-e847036fd7e3",
        "assignerShortName": "WatchGuard",
        "cveId": "CVE-2024-4944",
        "datePublished": "2024-07-09T02:23:25.039Z",
        "dateReserved": "2024-05-15T14:48:50.083Z",
        "dateUpdated": "2024-08-01T20:55:10.311Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-3661 (GCVE-0-2024-3661)

    Vulnerability from nvd – Published: 2024-05-06 18:31 – Updated: 2024-08-28 19:09
    VLAI
    Title
    DHCP routing options can manipulate interface-based VPN traffic
    Summary
    DHCP can add routes to a client’s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    • CWE-501 - Trust Boundary Violation
    Assigner
    Impacted products
    Vendor Product Version
    IETF DHCP Affected: 0
    Create a notification for this product.
    Date Public
    2002-12-31 01:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:20:00.420Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://datatracker.ietf.org/doc/html/rfc2131#section-7"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://datatracker.ietf.org/doc/html/rfc3442#section-7"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://tunnelvisionbug.com/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.leviathansecurity.com/research/tunnelvision"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://news.ycombinator.com/item?id=40279632"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://issuetracker.google.com/issues/263721377"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://news.ycombinator.com/item?id=40284111"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.agwa.name/blog/post/hardening_openvpn_for_def_con"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://bst.cisco.com/quickview/bug/CSCwk05814"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.paloaltonetworks.com/CVE-2024-3661"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-170"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://my.f5.com/manage/s/article/K000139553"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-3661",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-08T04:00:07.962328Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-28T19:09:06.995Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "DHCP",
              "vendor": "IETF",
              "versions": [
                {
                  "status": "affected",
                  "version": "0"
                }
              ]
            }
          ],
          "datePublic": "2002-12-31T01:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "DHCP can add routes to a client\u2019s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN."
                }
              ],
              "value": "DHCP can add routes to a client\u2019s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306 Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-501",
                  "description": "CWE-501 Trust Boundary Violation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-01T15:04:50.790Z",
            "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
            "shortName": "cisa-cg"
          },
          "references": [
            {
              "url": "https://datatracker.ietf.org/doc/html/rfc2131#section-7"
            },
            {
              "url": "https://datatracker.ietf.org/doc/html/rfc3442#section-7"
            },
            {
              "url": "https://tunnelvisionbug.com/"
            },
            {
              "url": "https://www.leviathansecurity.com/research/tunnelvision"
            },
            {
              "url": "https://news.ycombinator.com/item?id=40279632"
            },
            {
              "url": "https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/"
            },
            {
              "url": "https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/"
            },
            {
              "url": "https://issuetracker.google.com/issues/263721377"
            },
            {
              "url": "https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision"
            },
            {
              "url": "https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability"
            },
            {
              "url": "https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic"
            },
            {
              "url": "https://news.ycombinator.com/item?id=40284111"
            },
            {
              "url": "https://www.agwa.name/blog/post/hardening_openvpn_for_def_con"
            },
            {
              "url": "https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/"
            },
            {
              "url": "https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661"
            },
            {
              "url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009"
            },
            {
              "url": "https://bst.cisco.com/quickview/bug/CSCwk05814"
            },
            {
              "url": "https://security.paloaltonetworks.com/CVE-2024-3661"
            },
            {
              "url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-170"
            },
            {
              "url": "https://my.f5.com/manage/s/article/K000139553"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "DHCP routing options can manipulate interface-based VPN traffic",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "assignerShortName": "cisa-cg",
        "cveId": "CVE-2024-3661",
        "datePublished": "2024-05-06T18:31:21.217Z",
        "dateReserved": "2024-04-11T17:24:22.637Z",
        "dateUpdated": "2024-08-28T19:09:06.995Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-13079 (GCVE-0-2026-13079)

    Vulnerability from cvelistv5 – Published: 2026-07-02 23:07 – Updated: 2026-07-07 03:56
    VLAI
    Title
    WatchGuard Mobile VPN with SSL Windows Client Local Privilege Escalation
    Summary
    A local privilege escalation vulnerability in the WatchGuard Mobile VPN with SSL client for Windows allows a local attacker to escalate their privileges to NT AUTHORITY\SYSTEM on the machine where the client is installed. This issue affects the Mobile VPN with SSL client for Windows up to and including 2026.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-732 - Incorrect Permission Assignment for Critical Resource
    Assigner
    References
    Impacted products
    Vendor Product Version
    WatchGuard Fireware OS Affected: 12.0 , ≤ 12.12 (semver)
    Affected: 2025.1 , ≤ 2026.2 (semver)
    Create a notification for this product.
    Credits
    Paul Arzelier, Truesec
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-13079",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-06T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-07T03:56:26.251Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Fireware OS",
              "vendor": "WatchGuard",
              "versions": [
                {
                  "lessThanOrEqual": "12.12",
                  "status": "affected",
                  "version": "12.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "2026.2",
                  "status": "affected",
                  "version": "2025.1",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:watchguard:fireware_os:*:*:*:*:*:*:*:12.0",
                      "versionEndIncluding": "12.12",
                      "versionStartIncluding": "12.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:watchguard:fireware_os:*:*:*:*:*:*:*:2025.1",
                      "versionEndIncluding": "2026.2",
                      "versionStartIncluding": "2025.1",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Paul Arzelier, Truesec"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A local privilege escalation vulnerability in the WatchGuard Mobile VPN with SSL client for Windows allows a local attacker to escalate their privileges to NT AUTHORITY\\SYSTEM on the machine where the client is installed.\u003cbr\u003e\u003cbr\u003eThis issue affects the Mobile VPN with SSL client for Windows up to and including 2026.2."
                }
              ],
              "value": "A local privilege escalation vulnerability in the WatchGuard Mobile VPN with SSL client for Windows allows a local attacker to escalate their privileges to NT AUTHORITY\\SYSTEM on the machine where the client is installed.\n\nThis issue affects the Mobile VPN with SSL client for Windows up to and including 2026.2."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-17",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-17 Using Malicious Files"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-732",
                  "description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-02T23:07:30.489Z",
            "orgId": "5d1c2695-1a31-4499-88ae-e847036fd7e3",
            "shortName": "WatchGuard"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00027"
            }
          ],
          "source": {
            "advisory": "WGSA-2026-00027",
            "defect": [
              "FBX-32881"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "WatchGuard Mobile VPN with SSL Windows Client Local Privilege Escalation",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "5d1c2695-1a31-4499-88ae-e847036fd7e3",
        "assignerShortName": "WatchGuard",
        "cveId": "CVE-2026-13079",
        "datePublished": "2026-07-02T23:07:30.489Z",
        "dateReserved": "2026-06-23T18:02:48.522Z",
        "dateUpdated": "2026-07-07T03:56:26.251Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-4944 (GCVE-0-2024-4944)

    Vulnerability from cvelistv5 – Published: 2024-07-09 02:23 – Updated: 2024-08-01 20:55
    VLAI
    Title
    Mobile VPN with SSL Local Privilege Escalation Vulnerability
    Summary
    A local privilege escalation vlnerability in the WatchGuard Mobile VPN with SSL client on Windows enables a local user to execute arbitrary commands with elevated privileged.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
    Assigner
    Impacted products
    Vendor Product Version
    WatchGuard Mobile VPN with SSL Client Affected: 0 , ≤ 12.10 (semver)
    Create a notification for this product.
    watchguard mobile_vpn_with_ssl Affected: 0 , < 12.10.4 (custom)
        cpe:2.3:a:watchguard:mobile_vpn_with_ssl:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-06-14 05:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:watchguard:mobile_vpn_with_ssl:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "mobile_vpn_with_ssl",
                "vendor": "watchguard",
                "versions": [
                  {
                    "lessThan": "12.10.4",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-4944",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-09T15:16:53.320044Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-09T15:19:03.572Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:55:10.311Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00010"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows"
              ],
              "product": "Mobile VPN with SSL Client",
              "vendor": "WatchGuard",
              "versions": [
                {
                  "lessThanOrEqual": "12.10",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2024-06-14T05:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A local privilege escalation vlnerability in the WatchGuard Mobile VPN with SSL client on Windows enables a local user to execute arbitrary commands with elevated privileged.\u003cbr\u003e"
                }
              ],
              "value": "A local privilege escalation vlnerability in the WatchGuard Mobile VPN with SSL client on Windows enables a local user to execute arbitrary commands with elevated privileged.\n"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-233",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-233 Privilege Escalation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-77",
                  "description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-09T02:23:25.039Z",
            "orgId": "5d1c2695-1a31-4499-88ae-e847036fd7e3",
            "shortName": "WatchGuard"
          },
          "references": [
            {
              "url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00010"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Mobile VPN with SSL Local Privilege Escalation Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "5d1c2695-1a31-4499-88ae-e847036fd7e3",
        "assignerShortName": "WatchGuard",
        "cveId": "CVE-2024-4944",
        "datePublished": "2024-07-09T02:23:25.039Z",
        "dateReserved": "2024-05-15T14:48:50.083Z",
        "dateUpdated": "2024-08-01T20:55:10.311Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-3661 (GCVE-0-2024-3661)

    Vulnerability from cvelistv5 – Published: 2024-05-06 18:31 – Updated: 2024-08-28 19:09
    VLAI
    Title
    DHCP routing options can manipulate interface-based VPN traffic
    Summary
    DHCP can add routes to a client’s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    • CWE-501 - Trust Boundary Violation
    Assigner
    Impacted products
    Vendor Product Version
    IETF DHCP Affected: 0
    Create a notification for this product.
    Date Public
    2002-12-31 01:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:20:00.420Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://datatracker.ietf.org/doc/html/rfc2131#section-7"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://datatracker.ietf.org/doc/html/rfc3442#section-7"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://tunnelvisionbug.com/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.leviathansecurity.com/research/tunnelvision"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://news.ycombinator.com/item?id=40279632"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://issuetracker.google.com/issues/263721377"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://news.ycombinator.com/item?id=40284111"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.agwa.name/blog/post/hardening_openvpn_for_def_con"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://bst.cisco.com/quickview/bug/CSCwk05814"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.paloaltonetworks.com/CVE-2024-3661"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-170"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://my.f5.com/manage/s/article/K000139553"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-3661",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-08T04:00:07.962328Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-28T19:09:06.995Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "DHCP",
              "vendor": "IETF",
              "versions": [
                {
                  "status": "affected",
                  "version": "0"
                }
              ]
            }
          ],
          "datePublic": "2002-12-31T01:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "DHCP can add routes to a client\u2019s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN."
                }
              ],
              "value": "DHCP can add routes to a client\u2019s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306 Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-501",
                  "description": "CWE-501 Trust Boundary Violation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-01T15:04:50.790Z",
            "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
            "shortName": "cisa-cg"
          },
          "references": [
            {
              "url": "https://datatracker.ietf.org/doc/html/rfc2131#section-7"
            },
            {
              "url": "https://datatracker.ietf.org/doc/html/rfc3442#section-7"
            },
            {
              "url": "https://tunnelvisionbug.com/"
            },
            {
              "url": "https://www.leviathansecurity.com/research/tunnelvision"
            },
            {
              "url": "https://news.ycombinator.com/item?id=40279632"
            },
            {
              "url": "https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/"
            },
            {
              "url": "https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/"
            },
            {
              "url": "https://issuetracker.google.com/issues/263721377"
            },
            {
              "url": "https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision"
            },
            {
              "url": "https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability"
            },
            {
              "url": "https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic"
            },
            {
              "url": "https://news.ycombinator.com/item?id=40284111"
            },
            {
              "url": "https://www.agwa.name/blog/post/hardening_openvpn_for_def_con"
            },
            {
              "url": "https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/"
            },
            {
              "url": "https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661"
            },
            {
              "url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009"
            },
            {
              "url": "https://bst.cisco.com/quickview/bug/CSCwk05814"
            },
            {
              "url": "https://security.paloaltonetworks.com/CVE-2024-3661"
            },
            {
              "url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-170"
            },
            {
              "url": "https://my.f5.com/manage/s/article/K000139553"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "DHCP routing options can manipulate interface-based VPN traffic",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "assignerShortName": "cisa-cg",
        "cveId": "CVE-2024-3661",
        "datePublished": "2024-05-06T18:31:21.217Z",
        "dateReserved": "2024-04-11T17:24:22.637Z",
        "dateUpdated": "2024-08-28T19:09:06.995Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }