What happened
A privilege-escalation vulnerability in the Check Point Harmony SASE Windows client affecting versions prior to 12.2 allows a local attacker to escalate privileges by writing or deleting files outside the intended certificate working directory. Tracked as CVE-2025-9142, the flaw exists in the Perimeter81.Service.exe component, which runs with SYSTEM privileges, and stems from insufficient validation of JWT (JSON Web Token) values during authentication. When a user initiates the login flow through a URI handler, a specially crafted perimeter81:// URL with a tampered JWT containing directory traversal sequences can lead to undesired file writes or deletions. The issue was publicly disclosed on January 14, 2026, and Check Point released a fix in version 12.2 on November 18, 2025.Â
Who is affected
Organizations and users running Check Point Harmony SASE Windows client versions earlier than 12.2 are directly affected by this privilege-escalation vulnerability. The impact is limited to local attackers with access to the affected endpoint, and exploitation could result in unauthorized system-level actions.Â
Why CISOs should care
This issue demonstrates a flaw in the authentication and token handling logic of a widely used secure access client, where improper JWT validation can allow local attackers to gain elevated privileges on Windows systems. Identifying and remediating such vulnerabilities is relevant to maintaining the integrity of endpoint security posture, especially where SASE clients operate with high privileges.Â
3 practical actions
Apply vendor update. Upgrade all Harmony SASE Windows clients to version 12.2 or later to remediate CVE-2025-9142.Â
Restrict local access. Limit local user access to systems running the vulnerable client to reduce the potential for local privilege escalation.Â
Verify client versions. Audit enterprise endpoints to identify any Harmony SASE Windows client installations below version 12.2 and prioritize their patching.Â