Check Point's Harmony SASE (Secure Access Service Edge) Windows client software has a critical privilege-escalation vulnerability that affects versions before 12.2 This article explores services cybersecurity malware. . The vulnerability, known as CVE-2025-9142, permits local attackers to add or remove files outside of the intended certificate working directory, potentially resulting in system-level compromise.

The Perimeter81 software's Service component (Perimeter81.Service.exe), which runs with SYSTEM privileges, contains the vulnerability. Learn more Tools for ethical hacking Tools for remote access Consulting services for cybersecurity Malware elimination service software development Penetration testing services macOS security software firewall Hacker tools guide Cyberattack prevention software The flaw stems from insufficient validation of JWT (JSON Web Token) values during authentication.

Product Affected Versions Severity CVE-2025-9142 Windows Client for Harmony SASE Under 12.2 Medium The JWT token is sent to the service via an IPC call when users start the Perimeter81 login process through a URI handler, but it is processed without appropriate signature verification. A malicious actor can use a tampered JWT with directory traversal sequences (../../../) in the tenant ID field to create a specially crafted perimeter81:// URL. This gets past authentication controls and gets to the local service component, which processes the token without first validating it.

Chain of Technical Attacks There are two separate stages to the exploitation chain. Initially, a rogue authentication domain is registered by the attacker; notably, p81-falcon.com was registered at the time of discovery. The client's whitelist validation is successful for this domain.

The adversary can force the Perimeter81 service to create folder structures outside of the intended location by using the JWT manipulation, which permits directory traversal. Symbolic link injection is used in the second stage. Client certificates are written to the attacker-controlled working directory with SYSTEM privileges when the GenerateAndLoadCertificates() function runs.

Learn more Software for data security Software for endpoint detection and response Firewall hardware security modules Reaction to an incident Planning manuals Digital forensics tools Cybersecurity Malware Cybersecurity training courses Data security solutions By exploiting Windows Object Manager and RPC Control directory symlinks, an attacker can redirect certificate writes to arbitrary system locations such as C:\Windows\System32. Symlink Attack(source : amberwolf) Exploitation Impact This primitive enables attackers to overwrite critical system files or inject malicious DLLs.

The service was trying to load missing DLLs from its working directory, according to process monitoring. The output of missing DLLs is displayed by Procmon Trace (source: amberwolf). Attackers can escalate to SYSTEM-level access by inserting a malicious DLL at these anticipated locations, which will allow them to run code when the Perimeter81 service restarts.

The inability of the service's file-handling logic to impose stringent trust boundaries between user input and privileged operations exacerbates the vulnerability. On March 16, 2025, Check Point was informed of the vulnerability; on November 18, 2025, a fix was released in version 12.2. On January 14, 2026, the CVE was made public. To reduce the risk of local privilege escalation attacks, organizations that use Harmony SASE must update to version 12.2 or later right away.

The Amberwolf advisory states that organizations should deploy Harmony SASE agent version 12.2 or later right away. To stop unwanted DLL injection attacks, limit local administrative access and use application whitelisting. For daily cybersecurity updates, check LinkedIn and X.

To have your stories featured, get in touch with us.