Vulnerabilities ›

CVE-2026-6788

High

CWE-427 — Weakness Type

                    Published: May 6, 2026                      ·  Modified: May 13, 2026                      ·  Source: NVD                

CVSS v3

7.8

🔗 NVD Official

📄 Description (English)

Uncontrolled Search Path Element vulnerability in WatchGuard Agent on Windows allows Using Malicious Files.This issue affects WatchGuard Agent before 1.25.03.0000.

🤖 AI Executive Summary

CVE-2026-6788 is a high-severity uncontrolled search path vulnerability in WatchGuard Agent for Windows that allows attackers to execute malicious files through DLL hijacking or path manipulation. With a CVSS score of 7.8, this vulnerability poses significant risk to organizations relying on WatchGuard security solutions. Currently, no patch is available, requiring immediate implementation of compensating controls.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 12, 2026 00:39

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability significantly impacts Saudi banking sector (SAMA-regulated institutions), government agencies under NCA oversight, and critical infrastructure operators including ARAMCO and telecommunications providers (STC, Mobily). WatchGuard Agent is widely deployed in enterprise environments across these sectors for endpoint protection. Exploitation could lead to lateral movement, privilege escalation, and compromise of sensitive financial and operational data. Government entities and financial institutions are particularly vulnerable due to the prevalence of Windows-based infrastructure.

🏢 Affected Saudi Sectors

Banking and Financial Services (SAMA-regulated) Government and Public Administration (NCA oversight) Energy and Utilities (ARAMCO, power generation) Telecommunications (STC, Mobily, Zain) Healthcare and Pharmaceuticals Critical Infrastructure Defense and Security Large Enterprise Organizations

🎯 MITRE ATT&CK Techniques

T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking T1574.008 - Hijack Execution Flow: Path Interception by Search Order Hijacking T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1053.005 - Scheduled Task/Job: Scheduled Task T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control T1036.005 - Masquerading: Match Legitimate Name or Location T1204.002 - User Execution: Malicious File

⚖️ Saudi Risk Score (AI)

8.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Inventory all WatchGuard Agent installations across Windows endpoints, prioritizing critical systems in banking, government, and energy sectors

2. Restrict file system permissions on WatchGuard Agent installation directories to prevent unauthorized file placement

3. Implement application whitelisting on systems running WatchGuard Agent to prevent execution of unsigned binaries

4. Monitor for suspicious DLL loading patterns and process execution from WatchGuard directories

COMPENSATING CONTROLS:

5. Enable Windows Defender Application Guard or equivalent sandboxing for high-risk endpoints

6. Implement strict PATH environment variable controls and remove user-writable directories from system PATH

7. Deploy endpoint detection and response (EDR) solutions with behavioral monitoring for DLL injection attempts

8. Enforce code signing verification for all executable files in WatchGuard installation paths

DETECTION RULES:

9. Monitor for file creation/modification in WatchGuard Agent directories (typically C:\Program Files\WatchGuard\)

10. Alert on DLL loading from non-standard locations by WatchGuard processes

11. Track process execution with parent process being WatchGuard Agent components

12. Monitor for privilege escalation attempts following WatchGuard Agent execution

PATCHING:

13. Subscribe to WatchGuard security advisories for patch availability

14. Plan immediate deployment of version 1.25.03.0000 or later when released

15. Establish testing procedures for WatchGuard Agent updates in isolated environments before production deployment

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. حصر جميع تثبيتات وكيل WatchGuard على أنظمة Windows، مع إعطاء الأولوية للأنظمة الحرجة في القطاعات المصرفية والحكومية والطاقة

2. تقييد أذونات نظام الملفات في مجلدات تثبيت وكيل WatchGuard لمنع وضع الملفات غير المصرح بها

3. تنفيذ قائمة بيضاء للتطبيقات على الأنظمة التي تقوم بتشغيل وكيل WatchGuard لمنع تنفيذ الملفات الثنائية غير الموقعة

4. مراقبة أنماط تحميل DLL المريبة وتنفيذ العمليات من مجلدات WatchGuard

الضوابط البديلة:

5. تفعيل Windows Defender Application Guard أو ما يعادله من حلول الحماية بالعزل للأنظمة عالية المخاطر

6. تنفيذ ضوابط صارمة على متغير بيئة PATH وإزالة المجلدات القابلة للكتابة من قبل المستخدمين من PATH النظام

7. نشر حلول كشف الأطراف النهائية والاستجابة (EDR) مع مراقبة السلوك لمحاولات حقن DLL

8. فرض التحقق من التوقيع الرقمي لجميع الملفات القابلة للتنفيذ في مسارات تثبيت WatchGuard

قواعد الكشف:

9. مراقبة إنشاء/تعديل الملفات في مجلدات وكيل WatchGuard

10. تنبيهات على تحميل DLL من مواقع غير قياسية بواسطة عمليات WatchGuard

11. تتبع تنفيذ العمليات مع كون العملية الأب مكونات وكيل WatchGuard

12. مراقبة محاولات تصعيد الامتيازات بعد تنفيذ وكيل WatchGuard

التصحيحات:

13. الاشتراك في تنبيهات أمان WatchGuard لتوفر التصحيحات

14. التخطيط للنشر الفوري للإصدار 1.25.03.0000 أو أحدث عند توفره

15. إنشاء إجراءات اختبار لتحديثات وكيل WatchGuard في بيئات معزولة قبل النشر في الإنتاج

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.5.1.1 - Access Control Policies ECC 2024 A.5.2.1 - User Registration and Access Rights Management ECC 2024 A.8.1.1 - Information Security Awareness and Training ECC 2024 A.12.2.1 - Change Management Procedures ECC 2024 A.12.6.1 - Management of Technical Vulnerabilities

🔵 SAMA CSF

SAMA CSF ID.AM-2 - Hardware and Software Assets SAMA CSF PR.AC-1 - Access Control Policy SAMA CSF PR.PT-1 - Security Awareness and Training SAMA CSF DE.CM-1 - The network is monitored to detect potential cybersecurity events SAMA CSF RS.MI-1 - Incidents are contained

🟡 ISO 27001:2022

ISO 27001:2022 A.5.1 - Policies for Information Security ISO 27001:2022 A.5.2 - Information Security Roles and Responsibilities ISO 27001:2022 A.8.1 - Awareness and Training ISO 27001:2022 A.12.2 - Configuration Management ISO 27001:2022 A.12.6 - Management of Technical Vulnerabilities

🟣 PCI DSS v4.0.1

PCI DSS 2.4 - Document and implement policies and procedures to manage components connected to cardholder data environment PCI DSS 6.2 - Ensure that all system components and software are protected from known vulnerabilities PCI DSS 11.2 - Run automated vulnerability scanning tools regularly

🔗 References & Sources 1

🔗

https://www.watchguard.com/wgrd-psirt/advisory/WGSA-2026-00013

5d1c2695-1a31-4499-88ae-e847036fd7e3

Vendor Advisory

📦 Affected Products / CPE 1 entries

watchguard:agent

📊 CVSS Score

7.8

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorL — Low / Local

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.8

CWECWE-427

EPSS0.01%

Exploit No

Patch ✗ No

Published 2026-05-06

Source Feed nvd

🇸🇦 Saudi Risk Score

8.2

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

CWE-427

🏢 Vendor Advisories

🔗 https://www.watchguard.com/wgrd-psirt/advisory/WGSA-...

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-6788

Introduce Yourself

Sign In Required