
WatchGuard patches high-severity privilege escalation flaw in Mobile VPN client
WatchGuard fixed CVE-2026-13079, a high-severity local privilege escalation flaw in its Mobile VPN with SSL Windows client.
WatchGuard has published a security advisory for CVE-2026-13079, a high-severity local privilege escalation vulnerability in the Windows client for WatchGuard Mobile VPN with SSL. The advisory says the flaw can let a local attacker elevate privileges to NT AUTHORITY/SYSTEM on a machine where the vulnerable VPN client is installed, making it a post-compromise risk for organizations that rely on the client for remote access.
The issue affects Mobile VPN with SSL client for Windows versions up to and including 2026.2. WatchGuard lists the advisory as resolved and says the fix is available in version 2026.2.1. The company assigned the vulnerability a CVSS 4.0 score of 7.3, with a local attack vector, low attack complexity, low privileges required, and no user interaction. WatchGuard credits Paul Arzelier of Truesec for reporting the issue.
Why it matters
Local privilege escalation bugs often matter most when paired with phishing, stolen credentials, exposed remote desktop access, or another foothold. A standard user account on a corporate laptop is intentionally limited; SYSTEM-level access can let an attacker disable protections, tamper with VPN components, harvest sensitive material, or move more quietly through an endpoint. VPN clients are also broadly deployed on roaming employee devices, so administrators may need to account for machines that are off-network or rarely connected to traditional patching systems.
The CVE record, published July 2, identifies the weakness as an incorrect permission assignment for a critical resource. It also confirms the affected product range and the WatchGuard vendor advisory reference. OpenCVE currently lists the bug as not present in CISA's Known Exploited Vulnerabilities catalog and shows a very low EPSS exploitation probability, but those signals do not remove the need to patch. They mainly indicate that public exploitation evidence is not yet reflected in those trackers.
Recommended response
- Inventory Windows endpoints running WatchGuard Mobile VPN with SSL and identify versions at or below 2026.2.
- Upgrade affected clients to version 2026.2.1, prioritizing shared workstations, administrator laptops, and systems used for privileged remote access.
- Review endpoint management telemetry for failed or delayed client updates, especially for machines outside the corporate network.
- Continue monitoring WatchGuard PSIRT updates in case additional detection guidance or related advisories are published.
Because WatchGuard marks workaround availability as false, patching is the clean remediation path. For teams that cannot immediately update every endpoint, reducing local account exposure and removing the VPN client from systems that no longer need it can help narrow the attack surface while the rollout is completed.
Sources
Cover photo by Brett Sayles on Pexels, used under the Pexels License.
CyberOGZ Team






Comments (0)
Leave a Comment