CVE-2025-8304 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) found in Check Point Identity Agent's Multi User Host Agent component running on Windows Terminal Servers. The issue arises because sensitive security policy information for different users is stored in Windows Registry keys in a manner that allows an authenticated local user to read data belonging to other users. This flaw enables an attacker with low-level privileges on the terminal server to obtain information that could be used to claim or impersonate the security policy rules of other users, potentially bypassing intended access controls. The vulnerability does not require user interaction and has a CVSS 3.1 base score of 6.5, reflecting medium severity. The attack vector is local (AV:L), requiring low privileges (PR:L), with low attack complexity (AC:L), and no user interaction (UI:N). The scope is changed (S:C) because the vulnerability affects resources beyond the attacker’s own privileges. The impact is primarily on confidentiality (C:H), with no impact on integrity (I:N) or availability (A:N). No known public exploits exist yet, but the vulnerability poses a risk in environments where multiple users share terminal servers and rely on Check Point Identity Agent for identity and policy enforcement. The vendor has not yet published patches, so mitigation must rely on access controls and monitoring until updates are available.

For European organizations, especially those operating Windows Terminal Servers with Check Point Identity Agent Multi User Host Agent versions below 81.084.0000, this vulnerability presents a risk of unauthorized disclosure of sensitive security policy information. Attackers with authenticated local access could leverage this information to impersonate other users’ security policies, potentially gaining unauthorized access to protected resources or bypassing security controls. This could lead to data breaches, compliance violations (e.g., GDPR), and erosion of trust in identity and access management systems. Organizations in sectors with high security requirements such as finance, healthcare, and government are particularly at risk. The impact is limited to confidentiality and requires local access, so remote exploitation is not feasible without prior compromise. However, in shared terminal server environments common in European enterprises, the risk of insider threats or lateral movement by attackers is significant. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once the vulnerability is publicly known.

1. Upgrade Check Point Identity Agent Multi User Host Agent to version 81.084.0000 or later as soon as patches become available from the vendor. 2. Until patches are released, restrict local access to Windows Terminal Servers to trusted personnel only and enforce strict access controls and monitoring. 3. Implement enhanced auditing and logging of registry access on terminal servers to detect unauthorized attempts to read sensitive keys. 4. Use Windows security features such as registry permissions and AppLocker to limit access to the registry keys used by Check Point Identity Agent. 5. Employ endpoint detection and response (EDR) solutions to monitor for suspicious local activity indicative of privilege escalation or policy impersonation attempts. 6. Educate administrators and users about the risk of local credential compromise and enforce strong authentication and session management policies on terminal servers. 7. Regularly review and harden terminal server configurations to minimize attack surface and isolate user sessions where possible. 8. Coordinate with Check Point support for any interim workarounds or configuration changes that can reduce exposure.