Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local-only attack from an authenticated standard user (AV:L/PR:L), no user interaction or special complexity, and successful hijack yields SYSTEM with full C/I/A impact.
Primary rating from Vendor (checkpoint).
CVSS VectorVendor: checkpoint
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
A local privilege escalation vulnerability exists in Check Point Identity Agent Full for Windows OS. An authenticated local user may be able to execute arbitrary code with SYSTEM privileges due to improper handling of executable resolution during the log collection process. Successful exploitation could allow an attacker to gain elevated privileges on the affected Windows endpoint.
AnalysisAI
Local privilege escalation in Check Point Identity Agent Full for Windows allows an authenticated local user to execute arbitrary code with SYSTEM privileges through improper executable resolution during the log collection process. The flaw is a classic CWE-427 uncontrolled search path issue, and no public exploit has been identified at time of analysis. Exploitation is constrained to attackers who already have a foothold on the endpoint but provides a reliable path to full SYSTEM compromise.
Technical ContextAI
Check Point Identity Agent Full is a Windows endpoint client that maps logged-in users to IP addresses for Check Point gateway policy enforcement, typically running with elevated privileges as a Windows service. The vulnerability is categorized as CWE-427 (Uncontrolled Search Path Element), meaning the log-collection routine resolves an executable name without specifying a fully qualified, trusted path or otherwise validating the target binary. On Windows, this class of flaw typically manifests as DLL or EXE hijacking, where a privileged process loads an attacker-controlled binary from a writable directory that appears earlier in the search order than the legitimate one.
RemediationAI
Patch available per vendor advisory - consult Check Point sk185052 at https://support.checkpoint.com/results/sk/sk185052 for the fixed Identity Agent Full build and upgrade all Windows endpoints accordingly; exact fix version is not disclosed in the provided input. As compensating controls until patches are deployed, restrict local interactive logon on endpoints running Identity Agent to trusted users (limits the local foothold prerequisite), audit and remove write permissions for non-admin users on directories that appear in the SYSTEM PATH or in the Identity Agent installation path (mitigates planting of a hijack binary), and monitor process-creation telemetry for the Identity Agent service spawning unexpected children, especially during log-collection cycles. Side effects: tightening PATH/directory ACLs may break poorly written third-party installers that rely on world-writable program directories.
More in Checkpoint
View allbackend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to e
The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data
PyTorch is a Python package that provides tensor computation. [CVSS 8.8 HIGH]
Check Point ZoneAlarm Extreme Security before 15.8.211.19229 allows local users to escalate privileges. Rated high sever
Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the inte
Remote code execution in PyTorch Lightning through 2.6.5 allows an attacker who can get a victim to load a malicious che
Check Point Endpoint Security Initial Client for Windows before version E81.30 tries to load a DLL placed in any PATH lo
A hard-link created from log file archive of Check Point ZoneAlarm up to 15.4.062 or Check Point Endpoint Security clien
Multiple unspecified vulnerabilities in Check Point Security Gateway 80 R71.x before R71.45 (730159141) and R75.20.x bef
Arbitrary code execution via torch-checkpoint-shrink.py script in ml-engineering project allows remote attackers to exec
Check Point Endpoint Security Client for Windows, with the VPN blade, before version E80.83, starts a process without us
Arbitrary code execution in Snorkel machine learning library (≤v0.10.0) occurs when users load malicious model checkpoin
Same weakness CWE-427 – Uncontrolled Search Path Element
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36247
GHSA-phqv-gxhh-jc8p