CVE-2026-10847: Local Privilege Escalation vulnerability in Check Point Identity Agent Full for Windows OS
A local privilege escalation vulnerability exists in Check Point Identity Agent Full for Windows OS. An authenticated local user may be able to execute arbitrary code with SYSTEM privileges due to improper handling of executable resolution during the log collection process. Successful exploitation could allow an attacker to gain elevated privileges on the affected Windows endpoint.
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A local privilege escalation vulnerability exists in Check Point Identity Agent Full for Windows OS. An authenticated local user on the affected host can exploit improper executable resolution during the log collection process to run arbitrary code with SYSTEM privileges, requiring no network access and no interaction from another user. Successful exploitation gives the attacker full control over the affected Windows endpoint, including read and write access to all data and the ability to disrupt any running service. No fix version has been published yet; HarborGuard tracks this advisory and will surface a patched-image rebuild the moment an upstream fix is released.
HarborGuard Coverage
Detection for CVE-2026-10847 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built Windows-based container images that bundle the Check Point Identity Agent Full package. Any image carrying an affected version of the agent is flagged automatically in the customer registry and pipeline scan results.
AvailableHarborGuard scores this finding at CVSS 7.8 HIGH using the published v3.1 vector and weights it against each environment's compliance policy to determine urgency and routing. The finding is dispatched to the appropriate team inbox within each customer organization based on configured ownership rules for the affected image or workload.
AvailableNo upstream fix version has been published for this CVE. HarborGuard re-evaluates the Check Point advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fixed version of the Identity Agent package is released upstream. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and open a PR against affected workloads without requiring manual intervention.
Pending upstreamExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the service is required.
- AuthenticationRequired
Any low-privilege local account is sufficient to attempt exploitation; no administrative credentials are needed.
- Victim interactionNot required
No action from another user is required; the attacker can trigger the vulnerable log collection path entirely on their own.
- Attack complexityDetail
The exploit is reliable and condition-free; no race conditions, special memory layout, or environmental dependencies are noted in the CVSS vector.
Blast Radius
- The attacker executes arbitrary code under the SYSTEM account, gaining the highest privilege level on the Windows endpoint.
- All files, credentials, and secrets stored on the host become readable, including those belonging to other users and services.
- The attacker can modify, overwrite, or delete any persisted data on the endpoint, including security tooling and audit logs.
- Any running service on the host can be stopped or replaced, disrupting endpoint availability and any workload dependent on it.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-10847 is active across all customer environments scanning images that include Check Point Identity Agent Full for Windows OS. Because no upstream fix version exists at this time, HarborGuard monitors the Check Point advisory on every ingest cycle and will make a patched-image rebuild available automatically as soon as a fixed package version is published. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will follow without manual steps. While no patch is available, compensating controls worth considering include restricting local user accounts on endpoints running the agent to the minimum required set, applying network-policy isolation to limit lateral movement if an endpoint is compromised, and using application-control policies to restrict which processes can invoke the Identity Agent log collection path. Where compliance policy permits, HarborGuard can flag all images carrying affected Identity Agent versions for expedited review so affected workloads are prioritized in manual triage queues.
- checkpoint / Identity AgentVersions prior to 81.087.0000
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H