Critical Vulnerability in Check Point’s Harmony SASE Windows Client Allows Privilege Escalation
A significant security flaw has been identified in Check Point’s Harmony SASE (Secure Access Service Edge) Windows client software, specifically affecting versions prior to 12.2. This vulnerability, designated as CVE-2025-9142, enables local attackers to manipulate file operations beyond the intended certificate working directory, potentially leading to system-level compromises.
Understanding the Vulnerability
The core of this issue lies within the Service component of the Perimeter81 software (Perimeter81.Service.exe), which operates with SYSTEM privileges. The flaw arises from inadequate validation of JSON Web Token (JWT) values during the authentication process.
In typical operations, when users initiate the Perimeter81 login via a URI handler, the JWT token is transmitted to the service through an inter-process communication (IPC) call. However, due to the absence of proper signature verification, this token can be exploited.
Exploitation Mechanism
The exploitation process involves two primary stages:
1. Rogue Domain Registration and Directory Traversal: An attacker can register a deceptive authentication domain that passes the client’s whitelist validation. By crafting a malicious perimeter81:// URL containing a tampered JWT with directory traversal sequences (e.g., ../../../) in the tenant ID field, the attacker can bypass authentication controls. This manipulation allows the creation of folder structures outside the intended directory.
2. Symbolic Link Injection: The attacker exploits the GenerateAndLoadCertificates() function, which writes client certificates to the attacker-controlled working directory with SYSTEM privileges. By leveraging Windows Object Manager and RPC Control directory symbolic links, the attacker can redirect certificate writes to arbitrary system locations, such as C:\Windows\System32.
Potential Impact
This vulnerability enables attackers to overwrite critical system files or inject malicious dynamic-link libraries (DLLs). Process monitoring has revealed that the service attempts to load missing DLLs from its working directory. By placing a malicious DLL in these expected locations, attackers can execute code upon the Perimeter81 service’s restart, thereby achieving SYSTEM-level access.
The risk is further heightened due to the service’s file-handling logic, which fails to enforce strict trust boundaries between user input and privileged operations.
Timeline and Response
– March 16, 2025: Check Point was notified of the vulnerability.
– November 18, 2025: A fix was released in version 12.2.
– January 14, 2026: The CVE was publicly disclosed.
Recommendations for Mitigation
Organizations utilizing Harmony SASE are strongly advised to:
– Upgrade Immediately: Deploy Harmony SASE agent version 12.2 or later to mitigate the risk of local privilege escalation attacks.
– Restrict Administrative Access: Limit local administrative access to reduce potential attack vectors.
– Implement Application Whitelisting: This measure can prevent unauthorized DLL injection attacks by allowing only approved applications to run.
Staying vigilant and proactive in applying security updates is crucial in safeguarding systems against such vulnerabilities.
