Use of Hard-coded Cryptographic Key vulnerability in WatchGuard Agent on Windows

CVE-2026-6787 is a *local* flaw in WatchGuard Agent on Windows caused by a hard-coded cryptographic key. On affected WatchGuard Agent for Windows versions up to and including 1.25.02.0000, a low-privileged local user can abuse that embedded key to help include attacker-controlled code into an existing process. On its own, this is already bad design; in practice, WatchGuard frames it as part of a chained privilege-escalation path to NT AUTHORITY\SYSTEM alongside CVE-2026-6788.

The vendor's HIGH label matches the *technical impact* but overshoots the *enterprise patch priority* once you audit the friction. This is not unauthenticated remote access, not internet-reachable, not KEV-listed, and not backed by meaningful EPSS or public exploitation evidence. The real risk is that endpoint agents run with elevated trust, so once an attacker already lands on a Windows host, this can turn a minor foothold into full local control.

Why this verdict

• Downgrade for attacker position: AV:L + PR:L means the attacker already has code execution or a user session on the endpoint. That is a major real-world narrowing versus remotely reachable bugs.
• Downgrade for chain dependency: WatchGuard explicitly describes this as part of a *chained* path with CVE-2026-6788, so CVE-2026-6787 is not the whole kill chain by itself.
• Downgrade for exploitation pressure: EPSS is effectively floor-level, there is no KEV entry, and no verified public PoC or campaign evidence turned up in primary-source review.
• Hold at MEDIUM for impact: If the chain is used successfully, the result is NT AUTHORITY\SYSTEM on a protected endpoint, which is absolutely meaningful for lateral movement, defense evasion, and persistence.

Why not higher?

This is not an unauthenticated remote bug, not an internet-facing service issue, and not a one-bug-to-domain-compromise story. The reachable population is limited to hosts running a specific Windows agent, and the attacker must already be on the machine with at least low privileges before this matters.

Why not lower?

Local privilege escalation on an endpoint security or management agent is still operationally important because those components sit in trusted positions on the box. Once exploited, the attacker can jump from a weak foothold to SYSTEM and then disable controls or establish durable persistence, so dismissing it as hygiene would understate the damage potential.

1. Harden local execution policy — Use WDAC or AppLocker to restrict unsigned or user-writable binaries and DLLs on endpoints running WatchGuard Agent. This directly raises friction against the malicious-file and process-injection stages of the chain; because the verdict is MEDIUM, there is no mitigation SLA — go straight to the 365-day remediation window, but apply this sooner on admin workstations and jump hosts if already available.
2. Tighten user rights on WatchGuard hosts — Reduce local interactive logon where not needed, remove stale local users, and review who can write to service-adjacent directories. This cuts off the low-privileged foothold and file-placement assumptions the chain relies on; with MEDIUM severity, fold it into normal hardening work while patching inside the 365-day window.
3. Hunt for service tampering — Create detections for WatchGuard service changes, unexpected child processes, suspicious module loads, and abrupt security-agent stoppage. These controls do not fix the bug, but they improve odds of catching abuse if an attacker is already on the host; use them as part of standard monitoring while remediation is scheduled.
4. Prioritize high-value endpoint rings — Move shared admin endpoints, jump boxes, help-desk systems, and any Windows servers running the agent into the earliest upgrade ring. Even without a formal mitigation SLA, those systems amplify the value of a local SYSTEM escalation and deserve earlier treatment than ordinary user laptops.

Run this on the target Windows host or through your EDR/RMM remote shell. Invoke with powershell.exe -ExecutionPolicy Bypass -File .\check-watchguard-agent-cve-2026-6787.ps1; no admin rights are usually required for registry reads, but elevated rights help if you want to expand it later to inspect service paths.

# check-watchguard-agent-cve-2026-6787.ps1

# Purpose: Detect whether WatchGuard Agent for Windows is vulnerable to CVE-2026-6787 based on installed version.

# Output: VULNERABLE / PATCHED / UNKNOWN

# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN


$ErrorActionPreference = 'SilentlyContinue'
$fixedVersion = [version]'1.25.3.0'

function Get-WGAgentVersion {
    $paths = @(
        'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*',
        'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*'
    )

    $hits = foreach ($path in $paths) {
        Get-ItemProperty $path | Where-Object {
            $_.DisplayName -match 'WatchGuard Agent'
        } | Select-Object DisplayName, DisplayVersion, Publisher, InstallLocation
    }

    if ($hits) {
        $best = $hits | Where-Object { $_.DisplayVersion } | Select-Object -First 1
        if ($best -and $best.DisplayVersion) {
            return $best.DisplayVersion
        }
    }

    # Fallback: inspect common service binary paths if uninstall entry was not found

    $candidatePaths = @(
        'C:\Program Files\WatchGuard\*\*.exe',
        'C:\Program Files (x86)\WatchGuard\*\*.exe'
    )

    foreach ($pattern in $candidatePaths) {
        $file = Get-ChildItem -Path $pattern -Recurse -File | Select-Object -First 1
        if ($file) {
            return $file.VersionInfo.ProductVersion
        }
    }

    return $null
}

$rawVersion = Get-WGAgentVersion

if (-not $rawVersion) {
    Write-Output 'UNKNOWN: WatchGuard Agent not found or version could not be determined.'
    exit 2
}

# Normalize 4-part version like 1.25.03.0000 -> 1.25.3.0

try {
    $normalized = ($rawVersion -replace '^v','').Trim()
    $parts = $normalized.Split('.')
    while ($parts.Count -lt 4) { $parts += '0' }
    $parts = $parts[0..3] | ForEach-Object { [int]$_ }
    $installedVersion = [version]::new($parts[0], $parts[1], $parts[2], $parts[3])
}
catch {
    Write-Output "UNKNOWN: Found WatchGuard Agent version '$rawVersion' but failed to parse it."
    exit 2
}

if ($installedVersion -lt $fixedVersion) {
    Write-Output "VULNERABLE: WatchGuard Agent version $installedVersion is older than fixed version $fixedVersion."
    exit 1
}
else {
    Write-Output "PATCHED: WatchGuard Agent version $installedVersion is at or above fixed version $fixedVersion."
    exit 0
}

Sources

1. WatchGuard advisory WGSA-2026-00013
2. NVD entry for CVE-2026-6787
3. CVE.org record for CVE-2026-6787
4. NVD entry for CVE-2026-6788
5. CISA Known Exploited Vulnerabilities Catalog
6. Government of Canada alert on WatchGuard advisories
7. WatchGuard Agent supported operating systems
8. Tenable CVE page mirroring EPSS for CVE-2026-6787