Check Point Harmony SASE Windows Client Flaw Grants SYSTEM Privileges via JWT Manipulation
A critical vulnerability in Check Point’s Harmony SASE Windows client (CVE-2025-9142) allows local attackers to escalate privileges to SYSTEM by exploiting poor validation in certificate processing. The flaw affects versions below 12.2, with the last update issued on January 14, 2026.
The issue stems from the Perimeter81 service component, which runs with elevated privileges. Attackers can manipulate the tenant name in a JWT token, passed via IPC or URI handlers, to trigger directory traversal. This enables the service to write or delete files outside its intended directory for example, crafting paths like ../../../../../../../../../sleep to target C:\sleep.
The vulnerability arises from inadequate JWT signature verification in the SaferVPN.Core.Sdp.SdpCertificates class, which uses a user-supplied WorkingDirectory from the JWT’s tenantId field without proper validation. Functions like CleanCertFolder() and GenerateAndLoadCertificates() executed as SYSTEM can then delete or write files in arbitrary locations.
Exploitation requires local access and follows a precise sequence:
- Pre-create a target directory (e.g.,
C:\sleep). - Invoke the URI handler (
perimeter81://) with a tampered JWT, delaying a rogue server’s CSR response. - Swap the directory with a symlink (via RPC Control) to redirect writes e.g., replacing
client.crtwith a path likeC:\Windows\System32\newfile.dll. - Serve malicious certificate content, which the SYSTEM service writes, potentially enabling DLL hijacking on restart.
A proof-of-concept (PoC) demonstrates achieving a SYSTEM shell via automated named pipes, local web servers, and symlink timing. While Microsoft patches (e.g., CVE-2024-38014) mitigate older OpLock tricks, symlink-based attacks remain viable.
Impacted versions include Harmony SASE 11.5.0.2501 and all releases below 12.2. The client supports 40+ allowed domains (e.g., perimeter81.com, sase.checkpoint.com), but attackers bypass these controls by forging unverified JWTs. Notably, QA environments (e.g., splinter.saseqa.checkpoint.com) are also vulnerable.
Check Point has released version 12.2 to address the flaw, urging users to upgrade via sk182466. The accompanying SK article (sk184557) details symptoms, root causes, and remediation steps. The researcher behind the discovery returned the domain p81-falcon.com to aid patching, and updated TLS certificates now block rogue server setups.
The flaw underscores risks in SASE clients processing web-derived inputs without strict validation, highlighting the need for privileged service hardening even in local attack scenarios.
Source: https://cyberpress.org/check-point-sase-escalation-flaw/
Check Point Software cybersecurity rating report: https://www.rankiteo.com/company/check-point-software-technologies
"id": "CHE1769604337",
"linkid": "check-point-software-technologies",
"type": "Vulnerability",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Users of Harmony SASE Windows '
'client versions below 12.2',
'industry': 'Cybersecurity',
'name': 'Check Point',
'type': 'Cybersecurity Company'}],
'attack_vector': 'Local Access',
'customer_advisories': 'Users urged to upgrade to Harmony SASE version 12.2 '
'or later.',
'date_resolved': '2026-01-14',
'description': 'A critical vulnerability in Check Point’s Harmony SASE '
'Windows client (CVE-2025-9142) allows local attackers to '
'escalate privileges to SYSTEM by exploiting poor validation '
'in certificate processing. The flaw affects versions below '
'12.2, with the last update issued on January 14, 2026. The '
'issue stems from the Perimeter81 service component, which '
'runs with elevated privileges. Attackers can manipulate the '
'tenant name in a JWT token, passed via IPC or URI handlers, '
'to trigger directory traversal, enabling the service to write '
'or delete files outside its intended directory.',
'impact': {'brand_reputation_impact': 'Moderate (Check Point’s SASE client '
'security flaw)',
'operational_impact': 'Potential SYSTEM-level compromise, enabling '
'arbitrary file writes/deletions and DLL '
'hijacking',
'systems_affected': 'Windows systems running Check Point Harmony '
'SASE client versions below 12.2'},
'investigation_status': 'Resolved',
'lessons_learned': 'The flaw underscores risks in SASE clients processing '
'web-derived inputs without strict validation, '
'highlighting the need for privileged service hardening '
'even in local attack scenarios.',
'post_incident_analysis': {'corrective_actions': 'Released version 12.2 with '
'patched JWT validation, '
'updated TLS certificates to '
'block rogue server setups, '
'and returned the domain '
'`p81-falcon.com` to aid '
'patching.',
'root_causes': 'Inadequate JWT signature '
'verification in the '
'`SaferVPN.Core.Sdp.SdpCertificates` '
'class, allowing user-supplied '
'`tenantId` to manipulate '
'`WorkingDirectory` without proper '
'validation. Functions like '
'`CleanCertFolder()` and '
'`GenerateAndLoadCertificates()` '
'executed as SYSTEM could then '
'delete or write files in arbitrary '
'locations.'},
'recommendations': 'Upgrade to Harmony SASE version 12.2 or later, enforce '
'strict JWT validation, and harden privileged services '
'against directory traversal and symlink attacks.',
'references': [{'source': 'Check Point Security Advisory',
'url': 'https://support.checkpoint.com/sk184557'},
{'source': 'Check Point Patch Release Notes',
'url': 'https://support.checkpoint.com/sk182466'}],
'response': {'communication_strategy': 'Published security advisory (SK '
'article sk184557) detailing symptoms, '
'root causes, and remediation steps',
'containment_measures': 'Check Point released version 12.2 to '
'patch the vulnerability',
'remediation_measures': 'Upgrade to Harmony SASE version 12.2 or '
'later via SK182466'},
'stakeholder_advisories': 'Check Point published SK article sk184557 '
'detailing symptoms, root causes, and remediation '
'steps.',
'title': 'Check Point Harmony SASE Windows Client Flaw Grants SYSTEM '
'Privileges via JWT Manipulation',
'type': 'Privilege Escalation',
'vulnerability_exploited': 'CVE-2025-9142 (JWT manipulation and directory '
'traversal in Perimeter81 service component)'}