CVE-2025-9142 is a path traversal vulnerability classified under CWE-22 affecting Check Point Harmony SASE Windows Agent versions prior to 12.2. The flaw arises from improper limitation of pathname inputs, allowing a local user to manipulate file operations beyond the intended certificate working directory. Specifically, a local attacker with limited privileges can trigger the client to write or delete files outside the designated directory, potentially overwriting or removing critical system or application files. This can lead to a complete compromise of confidentiality, integrity, and availability (CIA triad) of the affected system. The vulnerability requires local access with limited privileges and some user interaction, and the attack complexity is high due to the need for specific conditions to exploit the path traversal. The scope is broad as it affects all installations of the vulnerable Windows agent versions. Although no public exploits are known at this time, the potential impact includes privilege escalation, disruption of security functions, and unauthorized data manipulation. The vulnerability was reserved in August 2025 and published in January 2026, with a CVSS v3.1 score of 7.5, reflecting high severity. No patch links are currently available, indicating that organizations should monitor vendor updates closely. The vulnerability is particularly critical because it affects a security product designed to protect enterprise endpoints, meaning exploitation could undermine overall network security posture.

For European organizations, the impact of CVE-2025-9142 could be significant, especially for those relying on Check Point Harmony SASE for endpoint security. Exploitation could allow local attackers to bypass security controls by manipulating files critical to the agent’s operation, potentially disabling protections or enabling further privilege escalation. This could lead to unauthorized access to sensitive data, disruption of security monitoring, and increased risk of lateral movement within corporate networks. Sectors such as finance, government, healthcare, and critical infrastructure, which often deploy advanced endpoint security solutions, would be particularly vulnerable. The compromise of endpoint security agents undermines trust in the security infrastructure and could facilitate broader cyberattacks. Additionally, regulatory compliance risks arise if data confidentiality or integrity is breached due to this vulnerability. The requirement for local access somewhat limits the attack surface but does not eliminate risk, especially in environments with many users or shared workstations.

1. Immediately monitor Check Point’s official channels for patches addressing CVE-2025-9142 and apply updates to Harmony SASE Windows Agent version 12.2 or later as soon as they become available. 2. Until patches are released, restrict local user permissions rigorously to minimize the number of users who can execute or interact with the Harmony SASE client. 3. Implement application whitelisting and endpoint detection and response (EDR) solutions to detect anomalous file operations or unauthorized modifications to the certificate working directory. 4. Conduct regular integrity checks on the certificate working directory and related files to detect unauthorized changes. 5. Educate users about the risks of local privilege misuse and enforce strict policies on software installation and execution. 6. Use network segmentation to limit the impact of compromised endpoints and reduce lateral movement opportunities. 7. Employ logging and monitoring focused on file system changes related to the Harmony SASE client to enable rapid incident response.