Full Report
Check Point security advisory (AV26-590)
Analysis Summary
# Vulnerability: Check Point Identity Agent Local Privilege Escalation
## CVE Details
- **CVE ID:** CVE-2026-10847
- **CVSS Score:** Not explicitly listed in the advisory summary (Typically High for Privilege Escalation)
- **CWE:** CWE-269 (Improper Privilege Management) / Local Privilege Escalation
## Affected Systems
- **Products:** Check Point Identity Agent
- **Versions:** All versions prior to 81.087.0000
- **Configurations:** Systems running the Identity Agent client on Windows/Endpoint environments where local users have access.
## Vulnerability Description
CVE-2026-10847 is a Local Privilege Escalation (LPE) vulnerability found within the Check Point Identity Agent. The flaw typically involves the way the agent handles internal processes or file system permissions, allowing a low-privileged local attacker to execute code or elevate their rights to those of a higher-privileged user (such as SYSTEM), potentially compromising the entire host.
## Exploitation
- **Status:** Vulnerability confirmed by vendor.
- **Complexity:** Low to Medium (Requires local access).
- **Attack Vector:** Local (The attacker must already have access to the target system to exploit this flaw).
## Impact
- **Confidentiality:** High (Full access to system files).
- **Integrity:** High (Ability to modify system configurations and binaries).
- **Availability:** High (Ability to disable security services or crash the system).
## Remediation
### Patches
- **Identity Agent version 81.087.0000** or higher contains the fix for this vulnerability. Administrators should deploy the updated agent to all endpoints.
### Workarounds
- There are no primary workarounds that maintain full functionality; upgrading to the patched version is the recommended course of action.
- Restrict local login access to trusted users only to reduce the attack surface.
## Detection
- **Indicators of compromise:** Monitor for unusual child processes spawning from the Identity Agent service (e.g., `cmd.exe` or `powershell.exe` running under SYSTEM context initiated by the agent).
- **Detection methods and tools:** Use Endpoint Detection and Response (EDR) tools to audit privilege escalation attempts and monitor file integrity in the Identity Agent installation directory.
## References
- **Vendor Advisory:** hxxps[://]support[.]checkpoint[.]com/results/sk/sk185052
- **Canadian Centre for Cyber Security:** hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/check-point-security-advisory-av26-590