A critical privilege-escalation vulnerability has been discovered in Check Point’s Harmony SASE (Secure Access Service Edge) Windows client software,
- Thread starter TuxTalk
- Start date
The attack leverages the Perimeter81.Service.exe component, which executes with SYSTEM privileges.
MITRE ATT&CK Mapping
T1068
Exploitation for Privilege Escalation.
T1574.002
Hijack Execution Flow: DLL Side-Loading.
T1202
Indirect Command Execution.
The Vulnerability Chain
Authentication Bypass: The client handles perimeter81:// URI schemes. An attacker crafts a URL with a tampered JWT that includes directory traversal sequences (../../../) in the tenant ID field. Because the service fails to verify the JWT signature, it processes the rogue token.
Symlink Injection
The attacker uses a rogue domain (e.g., p81-falcon.com) to pass whitelist checks. When the GenerateAndLoadCertificates() function triggers, it writes data to an attacker-controlled directory. By creating Windows Object Manager symbolic links, the attacker redirects these writes to arbitrary locations like C:\Windows\System32.
Execution
The attacker overwrites a system file or places a malicious DLL in a directory where the service attempts to load missing dependencies. Upon service restart, the malicious code executes as SYSTEM.
Inventory all Windows endpoints running Harmony SASE/Perimeter81 clients below v12.2.
Revoke any local administrative rights that could facilitate the initial setup of symlinks.
TTP & Forensic Indicators
Registry/File Activity
Monitor for creation of symbolic links or junctions targeting C:\Windows\System32 originating from user-writable space.
Domain Alerts
Flag any DNS requests to p81-falcon.com or similar unregistered domains identified in the Amberwolf research.
Detection Engineering
SIEM/KQL Hunting
Query for Perimeter81.Service.exe loading unsigned DLLs or DLLs from non-standard directories.
D3FEND Mapping
Implement "Process Spawn Analysis" and "File Integrity Monitoring" on the Perimeter81 working directory.
Governance
This vulnerability meets criteria for mandatory reporting if exploitation is detected under CISA/CIRCIA guidelines due to the potential for full system compromise on critical infrastructure endpoints.
Update the Harmony SASE/Perimeter81 client to version 12.2 or higher immediately. Do not wait for a scheduled maintenance window.
Identity
Ensure that standard user accounts are used for daily tasks instead of accounts with administrator privileges, as this complicates the initial stages of the exploit.
Persistence
After updating, perform a full system scan with a reputable antivirus provider to ensure no malicious DLLs were successfully "dropped" during a previous potential exploitation window.
CIS Benchmark
Follow "Least Privilege" (L1) controls to ensure local users cannot manipulate system-level directories.
NIST SP 800-207
Apply Zero Trust principles to local IPC (Inter-Process Communication) calls, ensuring all tokens are signed and verified regardless of origin.
Authoritative Links
Check Point Support (sk184557)
Amberwolf Advisory (CVE-2025-9142)
MITRE ATT&CK Mapping
T1068
Exploitation for Privilege Escalation.
T1574.002
Hijack Execution Flow: DLL Side-Loading.
T1202
Indirect Command Execution.
The Vulnerability Chain
Authentication Bypass: The client handles perimeter81:// URI schemes. An attacker crafts a URL with a tampered JWT that includes directory traversal sequences (../../../) in the tenant ID field. Because the service fails to verify the JWT signature, it processes the rogue token.
Symlink Injection
The attacker uses a rogue domain (e.g., p81-falcon.com) to pass whitelist checks. When the GenerateAndLoadCertificates() function triggers, it writes data to an attacker-controlled directory. By creating Windows Object Manager symbolic links, the attacker redirects these writes to arbitrary locations like C:\Windows\System32.
Execution
The attacker overwrites a system file or places a malicious DLL in a directory where the service attempts to load missing dependencies. Upon service restart, the malicious code executes as SYSTEM.
Remediation - THE ENTERPRISE TRACK
Blast Radius & ContainmentInventory all Windows endpoints running Harmony SASE/Perimeter81 clients below v12.2.
Revoke any local administrative rights that could facilitate the initial setup of symlinks.
TTP & Forensic Indicators
Registry/File Activity
Monitor for creation of symbolic links or junctions targeting C:\Windows\System32 originating from user-writable space.
Domain Alerts
Flag any DNS requests to p81-falcon.com or similar unregistered domains identified in the Amberwolf research.
Detection Engineering
SIEM/KQL Hunting
Query for Perimeter81.Service.exe loading unsigned DLLs or DLLs from non-standard directories.
D3FEND Mapping
Implement "Process Spawn Analysis" and "File Integrity Monitoring" on the Perimeter81 working directory.
Governance
This vulnerability meets criteria for mandatory reporting if exploitation is detected under CISA/CIRCIA guidelines due to the potential for full system compromise on critical infrastructure endpoints.
Remediation - THE HOME USER TRACK
SafetyUpdate the Harmony SASE/Perimeter81 client to version 12.2 or higher immediately. Do not wait for a scheduled maintenance window.
Identity
Ensure that standard user accounts are used for daily tasks instead of accounts with administrator privileges, as this complicates the initial stages of the exploit.
Persistence
After updating, perform a full system scan with a reputable antivirus provider to ensure no malicious DLLs were successfully "dropped" during a previous potential exploitation window.
Hardening & References
CIS Benchmark
Follow "Least Privilege" (L1) controls to ensure local users cannot manipulate system-level directories.
NIST SP 800-207
Apply Zero Trust principles to local IPC (Inter-Process Communication) calls, ensuring all tokens are signed and verified regardless of origin.
Authoritative Links
Check Point Support (sk184557)
Amberwolf Advisory (CVE-2025-9142)
I believe there’s no digital wall without cracks—some more visible than others. What matters is remembering that trust should never be blind. 
You may also like...
-
IDrive for Windows Vulnerability Allows Attackers to Escalate Privileges and Gain Unauthorized Access- Started by Brownie2019
- Replies: 7
-
Critical Windows Admin Center Vulnerability Allows Privilege Escalation- Started by Parkinsond
- Replies: 4
-
CVE-2025-13176: Local Privilege Escalation in ESET Inspect EDR- Started by Khushal
- Replies: 1
-
Windows Error Reporting Flaw Allows Attackers to Elevate Privileges
- Started by Brownie2019
- Replies: 14
-
Cisco Unified Communications 0-day RCE Vulnerability Exploited in the Wild to Gain Root Access- Started by Divergent
- Replies: 1