Check Point Harmony Flaw Allows Local Users to Gain SYSTEM Privileges on Windows

A serious local privilege escalation vulnerability was discovered in the Check Point Harmony SASE agent for Windows, rooted in the way the software handles certificate directories based on unvalidated input. This flaw allowed an attacker with local access to gain elevated privileges by abusing the service’s certificate generation logic.

What’s Going On?

The core of the issue lies in how the Perimeter81 service component—which runs with SYSTEM privileges—processes JWT tokens supplied during the login flow. Specifically, the service uses the tenant name from the JWT to form a working directory path for certificate operations. However, the service does not verify the JWT signature locally, meaning a malicious actor could craft a token with a manipulated tenant name containing directory traversal sequences.

By doing this, the attacker influences where the service reads and writes files during certificate cleanup and generation. Because the service runs at the highest privilege level, this opens the door to file system abuse outside intended boundaries.

How the Flaw Works

Here’s the sequence that makes this vulnerability exploitable:

Login Flow & URI Handler:
The Harmony agent’s login flow involves a perimeter81:// URI handler that hands off from a browser to the local Perimeter81.exe client. The UMA (Unified Module Architecture) includes valid host checks, but the problematic part isn’t the endpoint check—it’s how tenant data from JWT tokens are used afterward.
Unsafe JWT Parsing:
The local service reads the tenantId from the JWT without verifying its signature. A crafted token with something like ../../../../../../../../sleep as the tenant ID causes the application to traverse up the directory tree when establishing the working directory.
Certificate Folder Cleanup:
The agent uses this working directory in functions such as CleanCertFolder(). Because the directory path is attacker-controlled, SYSTEM ends up deleting or enumerating files outside the intended scope.
Certificate Generation:
When certificates are generated, the service writes keys and certificates as SYSTEM into the same attacker-controlled directory. This means the attacker can redirect these writes to arbitrary locations using symbolic links, potentially planting files with system privileges. This step fully enables local privilege escalation by placing crafted files—like DLLs—into sensitive system folders.

Exploitation Potential

In practical exploitation, these steps can be chained:

Precreate the directory defined by the traversal string
Trigger the login flow to start certificate operations
Remove and replace the directory with an Object Manager symlink pointing to a system target
Serve crafted certificate responses to write attacker-controlled data into privileged locations

This sequence essentially gives an attacker a SYSTEM-level shell on the machine, and a proof-of-concept exploit was automated to demonstrate it.

Affected Versions

Identified in Harmony_SASE_11.5.0.2501
The vulnerability was reported in March 2025
Check Point fixed it in version 12.2 (released 18 November 2025)
CVE-2025-9142 was published on 14 January 2026

Mitigation

The only reliable mitigation is to upgrade the Harmony SASE agent to version 12.2 or later, which resolves this directory traversal and privilege escalation flaw.

Note that the exploit required registering a domain that mimicked an authorized hostname for the agent. This domain was reclaimed during the patching window to reduce risk between discovery and the fix release.