Local attackers can obtain system-level privileges due to a significant vulnerability in Check Point's Harmony SASE Windows client This article explores vulnerabilities perimeter81 service. . The problem, known as CVE-2025-9142, arises from inadequate validation in certificate processing and impacts versions lower than 12.2.

Overview of Vulnerabilities The Perimeter81 service component, which operates with SYSTEM privileges, is where the vulnerability occurs. Directory traversal can be initiated by a local attacker manipulating the tenant name in a JWT token passed via IPC or URI handler. By creating paths like "../../../../../../../../../sleep," this allows the service to write or remove files outside of its intended folder, like C:\sleep. Check Point rates this as medium severity, last updated January 14, 2026.

Unauthorized file operations during login flows, where Perimeter81.exe hands off from browsers via perimeter81:// URIs, are among the symptoms.

The client checks permitted domains, such as variations of sase.checkpoint.com or perimeter81.com, but improperly verifies JWT signatures. Strict trust boundaries are absent from authentication logic. A user-supplied WorkingDirectory from the JWT's tenantId field is used by the SaferVPN.Core.Sdp.SdpCertificates class without signature checks.

Structure of URI (Source: Check Point) While GenerateAndLoadCertificates() writes private keys, CSRs, and certificates there as SYSTEM, functions like CleanCertFolder() list and remove files in this path. Once publicly accessible, attackers register domains such as p81-falcon.com to host phony authentication servers. They create traversal payload-containing signed-looking JWTs, encode them into URIs, and initiate IPC calls. After processing invalid paths, the service enables primitives for writes or deletions.

Steps in Exploitation There is a specific order to exploitation. Make a target directory beforehand.

To begin certificate flow and postpone the rogue server's CSR response, invoke the URI handler with a manipulated JWT. To time a symlink swap, replace the directory with an RPC Control-backed junction that points client.crt to a target, such as C:\Windows\System32\newfile.dll, using Procmon traces. Serve content from base64 certificates under attacker control.

When Perimeter81 restarts, the SYSTEM service writes it, possibly loading malicious DLLs like hostafxr.dll. An automated named pipe connection, local web server, and symlink timing are used in a Proof of Concept video to pop a SYSTEM shell. Older OpLock tricks are blocked by Microsoft patches like CVE-2024-38014, but symlinks still exist.

Exploitation Primitive Description Impact Directory Traversal JWT tenantId sets arbitrary WorkingDirectory Arbitrary deletion via CleanCertFolder() Symlink Reparse RPC Control junction on client.crt SYSTEM writes to selected paths DLL Hijacking Place fake DLL in service load path Code execution on restart Tested on Harmony SASE 11.5.0.2501; all versions below 12.2 are vulnerable. The client lists 40+ allowed environments, including QA like splinter.saseqa.checkpoint.com, but attackers bypass via unverified JWTs. No remote exploitation; local access suffices, assuming the agent runs.

Procmon Trace – Directory Traversal (Source: Check Point) Check Point advises upgrading to Harmony SASE Windows Agent 12.2 or later via sk182466. The SK article (sk184557) details symptoms, cause, and fix. The researcher returned p81-falcon.com to aid patching. TLS certificates now block recreating the rogue server setup.

Apply updates immediately from Check Point support. Monitor for anomalous perimeter81:// invocations or Procmon hits on Perimeter81.Service.exe accessing unexpected paths. Disable URI handlers if unused.

Enterprises should scan endpoints with agent 11.x for signs of traversal attempts, like odd certificate folders. This flaw highlights SASE client risks: privileged services processing web-derived inputs without validation invite escalation. While domain controls limit wild replication, low-barrier locals underscore agent hardening needs. Check Point’s quick patch shows solid response, but audit similar JWT flows elsewhere.