CVE-2026-50752 VPN site to site certificate bypass vulnerability in deprecated IKEv1 key exchange

Symptoms - A vulnerability in the certificate validation logic of the deprecated IKEv1 key exchange method may lead to a man-in-the-middle attack on the VPN site-to-site configuration. This vulnerability was discovered by Check Point security research team. There are no reported exploits of this...

CVE-2026-50751 - User Authentication bypass on VPN Remote Access and Mobile Access in deprecated IKEv1 key exchange

Symptoms - An attacker can bypass user authentication by exploiting a logic flow weakness in the Remote Access and Mobile Access certificate validation and establish a remote access VPN connection without a valid user password. Check Point is aware of this vulnerability being exploited in the wil...

CVE-2026-48136 - Authenticated Administrator Role-Based Access Control Bypass in Compliance

Symptoms - When Compliance is enabled on Check Point Multi-Domain Management, an authenticated administrator with read-write access to one Management Domain CMA can modify stored metadata associated with Compliance Best Practices in another Management Domain, where the administrator has no access...

CVE-2026-48133 Identity Awareness Captive Portal - Unauthenticated Local File Inclusion

Symptoms - When the Identity Awareness blade is enabled with Browser-Based Authentication, an unauthenticated user may be able to read certain internal files on the Security Gateway. - This issue affects: R82.10 with Jumbo Hotfix Take 6 or below R82 with Jumbo Hotfix Take 91 or below R81.20 with...

CVE-2026-48135 - HTTP service can incorrectly process malformed HTTP requests

Cause An input-handling issue in the HTTP request processing path. Symptoms - A Check Point HTTP-based service, such as Mobile Access Portal or Identity Awareness Portals except for Captive Portal, can incorrectly handle malformed HTTP requests. Gaia Portal is not affected by this issue. - The...

CVE-2026-48131 - VPND IKE Fragment Reassembly - Heap Out-of-Bounds Write via Sequence Number Zero

Symptoms - The VPN service may mishandle an unexpected IKE fragment value received on the IKE port 500/UDP during the early stage of a connection attempt. This can cause the service to terminate unexpectedly, resulting in denial of service temporary disruption of VPN-related functionality. - The...

CVE-2026-48134 - SQL injection issue in UserCheck Portal when DLP is active

Symptoms - When the DLP is active, the UserCheck Web Portal contains an input-handling issue in the UserChoice flow. Under specific conditions, an attacker who can access the UserCheck Ask page could attempt to manipulate the Security Gateway's stored DLP/UserCheck incident information. This coul...

CVE-2026-48132 - VPN service may restart unexpectedly when processing IKE traffic over NAT-T 4500/UDP

Symptoms - The Security Gateway does not correctly validate a length value in certain IKE packets when NAT-T is used 4500/UDP. As a result, a specially crafted or malformed packet can cause the VPN processing service to terminate unexpectedly, leading to denial of service temporary interruption o...

Check Point Response to CVE-2025-9142 - Harmony SASE Windows Client Vulnerability

Cause The authentication and file-handling logic does not enforce strict trust boundaries. Under specific conditions, the system fails to validate data during certificate processing before using it in a privileged service component. Symptoms - A local attacker can trigger Harmony SASE Windows...

Check Point Response to CVE-2025-3831 - Exposed SFTP server

Cause The agent used a shared SFTP key embedded in the software to upload diagnostic logs. The key was granted permission to read and list files on the server, rather than restricted to upload-only access. As a result, anyone possessing the key could access log files uploaded by other customers...

CVE-2024-24915 - Potential vulnerability in SmartConsole where an administrator's credentials may be exposed to users with debugging privileges on the administrator's computer

Symptoms - Credentials are not cleared from memory after being used. A user with Administrator permissions can execute a memory dump for the SmartConsole process and fetch them. - This issue received the ID CVE-2024-24915. Solution This problem was fixed. The fix is included starting from: R82...

Check Point response to CVE-2025-32728 - The SSH directive "DisableForwarding" fails to disable "X11 Forwarding" and "Agent Forwarding"

Symptoms - A flaw was found in OpenSSH - in affected versions of SSHD, the directive "DisableForwarding" does not fully adhere to the intended functionality as documented. Specifically, it fails to disable X11 and Agent forwarding, which may allow unintended access under certain configurations...

Check Point Response to CVE-2024-24916 - DLL HiJacking

Cause The installer relies on the default Windows DLL search order, which includes the current working directory. If required DLLs are missing or not explicitly loaded from a secure path, this can lead to DLL hijacking. Symptoms - Untrusted DLLs in the installer's directory may be loaded and...

Check Point Response to CVE-2024-24911 - Out of Bounds read in the CPCA process on a Check Point Management Server

Cause An Out-of-Bounds read may occur when processing certain HTTP "POST" requests to the Security Management Server / Domain Management Server to the TCP port 18264. Repeated requests can cause a denial-of-service DoS of the cpca process and may lead it to exit unexpectedly with a core dump file...

CVE-2024-52887 - Self-XSS vulnerability in Mobile Access Native Applications 'favorites' dialog

Symptoms - The Mobile Access portal is vulnerable to a stored, self-XSS attack. An authenticated end-user may set a specially crafted SNX bookmark that can make their browser run a script while accessing their own bookmark list. So far today, no attack with actual impact is known. - This issue...

CVE-2024-52888 - Mobile Access File Share applications are vulnerable to stored XSS attacks

Symptoms - When an authenticated Mobile Access portal end-user browses to a File Share application, the portal may run a script while attempting to display a directory or some file's properties. Additionally, an authenticated attacker may store specially crafted file/dir names for other...

Check Point response to Apache HTTP CVE-2024-38473, CVE-2024-38474, CVE-2024-38475, CVE-2024-38476, CVE-2024-38477, CVE-2024-39573, CVE-2024-39884

Symptoms - These issues were reported in the Apache HTTP Server version 2.4.60 and lower: 1. CVE-2024-38473 - Apache HTTP Server: proxy encoding problem 2. CVE-2024-38474 - Apache HTTP Server: weakness with encoded question marks in backreferences 3. CVE-2024-38475 - Apache HTTP Server: weakness...

Check Point Response to CVE-2024-0105 and CVE-2024-0106 - NVIDIA Firmware Vulnerabilities

Cause NVIDIA ConnectX Firmware contains a vulnerability where an attacker may cause an improper handling of insufficient privileges issue. Symptoms - These Check Point Line Cards and appliances contain network interfaces with potentially vulnerable NVIDIA firmware versions see CVE-2024-0105 and...

Check Point Response to CVE-2024-24914 - TCL substitution of global parameter values

Symptoms - After logging in to Gaia Portal, authenticated users local Gaia users and RADIUS / TACACS users may cause code injection in Gaia Portal because of unprotected global variables usage when processing the HTTP request in the TCL process. This issue received the ID CVE-2024-24914. Solution...

Check Point Response to CVE-2024-3596 - Blast-RADIUS attack

Cause The Blast-RADIUS attack allows a man-in-the-middle attacker between the RADIUS client and server to forge a valid protocol accept message in response to a failed authentication request. This forgery could give the attacker access to network devices and services without the attacker guessing...

Check Point Response to CVE-2024-6387 - OpenSSH Library RCE

Cause A security regression CVE-2006-5051 was discovered in the OpenSSH server sshd version 8.5p1. There is a race condition, which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time...

Preventative Hotfix for CVE-2024-24919 - Quantum Gateway Information Disclosure

Solution This article refers to Quantum Security Gateways running Gaia OS and CloudGuard Network Security. For Quantum Spark Gateways that run a Gaia Embedded OS, see sk182357. Following our security update on May 27, 2024, Check Point's dedicated task force continues investigating attempts to ga...

Check Point Response to CVE-2024-24912 - local privilege escalation in Harmony Endpoint Security Client for Windows via crafted DLL file

Symptoms - A local privilege escalation vulnerability has been identified in Harmony Endpoint Security Client for Windows versions E88.10 and lower. By manipulating the COM object, an attacker could load a specially crafted DLL. An attacker must first obtain the ability to execute local privilege...

Check Point Response to CVE-2024-24910 - local privilege escalation in ZoneAlarm Extreme Security NextGen and Identity Agent

Symptoms - A vulnerability was discovered in ZoneAlarm Extreme Security that allows a local attacker to run code in the context of a ZoneAlarm process, using a specially crafted DLL. An attacker must first obtain the ability to execute local privileged code on the target system in order to exploi...

Check Point Response to Docker Desktop Vulnerabilities

Solution This article provides Check Point response to Docker Desktop vulnerabilities that various vulnerability scanners may show when testing a Check Point Security Gateway / Management Server / Log Server. To exploit a Docker Desktop vulnerability, a malicious actor must have a local access on...

Local Privilege Escalation in Check Point Endpoint Security Remediation Service

Symptoms - This vulnerability allows local attackers to escalate privileges on affected installations of Check Point Harmony Endpoint / ZoneAlarm Extreme Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability...

Check Point Response to CVE-2023-28130 - Hostname command injection in Gaia Portal

Symptoms - Local user may lead to privilege escalation using Gaia Portal "Hosts and DNS" page. This issue received the ID CVE-2023-28130. Solution This problem was fixed. The fix adds more validations on user input and is included starting from: Check Point R82 Jumbo Hotfix Accumulator for R81.20...

Check Point Response to CVE-2023-28133 - Local privilege escalation in Check Point Endpoint Security Client via crafted OpenSSL configuration file

Symptoms - Local privilege escalation in Check Point Endpoint Security Client. Affected versions: E87.30 and lower, including all E86.x clients. Affected clients: Standalone Remote Access VPN clients, Endpoint Security Clients with Remote Access VPN enabled. Affected processes: TracSrvWrapper.exe...

VPN SNX portal may be vulnerable to brute-force attack on passwords

Cause The VPN SNX portal in the IPsec VPN Software Blade does not implement any protection against brute-force attack on usernames/passwords. Symptoms - The IPsec VPN blade has a dedicated portal for downloading and connecting through SSL Network Extender SNX. If the portal is configured for...

Check Point response to CVE-2022-0778

Symptoms Dell published CVE-2022-0778 for: iDRAC8 versions before 2.83.83.83 iDRAC9 versions before 5.10.30.00 Cause Refer to DSA-2022-154: Dell iDRAC8 and Dell iDRAC9 Security Update for an OpenSSL Vulnerability. Solution Important Note: If you have not enabled iDRAC as described in sk122914, th...

CVE-2022-23745 - Memory corruption issue in Capsule Workspace on Android mobile devices

Symptoms A potential memory corruption issue was found in Capsule Workspace Android app running on GrapheneOS. This could result in application crashing but could not be used to gather any sensitive information. This issue was discovered and responsibly disclosed by Gabe Flawedworld and received ...

Check Point Response to CVE-2022-23744 - Use of unprotected registry change to disable Endpoint protection

Symptoms - Check Point Endpoint Security Client before version E86.50 fails to protect against specific registry change, allowing a local administrator to disable endpoint protection. This issue was discovered and responsibly disclosed by Erwin Chan and received ID CVE-2022-23744. Solution This...

Check Point Response to CVE-2022-24422 - Dell iDRAC9 Security Update for an Improper Authentication Vulnerability

Cause Refer to Dell's DSA-2022-068: Dell iDRAC9 Security Update for an Improper Authentication Vulnerability. Symptoms - Dell published CVE-2022-24422 for iDRAC9 versions 5.00.00.00 and higher but lower than 5.10.10.00. These versions contain an improper authentication vulnerability. A remote...

Check Point Response to CVE-2022-23742 - local privileges escalation in Endpoint Security Client's EFRService

Symptoms - The EFRService, which collects forensics data for various blades for the Check Point Endpoint Security Client for Windows, copies files for forensics reports from a directory with insufficient privileges. A local attacker can replace those files with malicious or linked content, which...

Check Point Response to CVE-2021-30361 - Gaia Portal Authenticated Command Injection

Symptoms - The "Security Management GUI Clients" feature in Check Point Gaia Portal allows authenticated administrators with permission for the GUI Clients settings to inject a CLI command that can run on the Gaia OS. This issue was discovered and responsibly disclosed by Christophe Schleypen of...

Check Point Response to CVE-2022-21449 - Java "Psychic Signatures"

Symptoms - On April 20, 2022, security researcher Neil Madden published a blog post in which he provided details about a newly disclosed vulnerability in Java, CVE-2022-21449 or "Psychic Signatures". This security vulnerability originates in an incorrect implementation of the ECDSA signature...

Check Point Response to Spring Vulnerabilities CVE-2022-22963, CVE-2022-22946, CVE-2022-22947, CVE-2022-22965 (Spring4Shell), CVE-2022-22950

Solution On March 29, 2022, new CVEs were published on Spring Cloud: CVE-2022-22963, CVE-2022-22946, CVE-2022-22947, and CVE-2022-22950. On March 31, 2022, a bypass to the fix for CVE-2010-1622 was published by Praetorian, and received the nickname "Spring4Shell" see Spring Core on JDK9+ is...

Check Point Response to CVE-2022-0778 - possible infinite loop when parsing ECDSA certificates/keys in OpenSSL

Symptoms - A vulnerability was found in OpenSSL, making it possible to trigger an infinite loop by crafting a certificate with invalid explicit curve parameters. Because certificate parsing occurs before verification of the certificate signature, a process that parses an externally supplied...

Check Point Response to CVE-2021-4034 - local privilege escalation in polkit's pkexec

Symptoms - A Local Privilege Escalation from any user to root was discovered in polkit's pkexec, a SUID-root program that is installed by default on every major Linux distribution. The vulnerability allows unprivileged users to run commands as privileged users according to predefined policies. Fo...

Check Point Response to CVE-2021-36347, CVE-2021-36348, CVE-2021-36346, CVE-2021-3712 - Dell iDRAC8 / iDRAC9 vulnerabilities

Cause See Dell's DSA-2021-259: Dell EMC iDRAC Security Update for Multiple Security Vulnerabilities. CVE-2021-36347 CVE-2021-36348 CVE-2021-36346 CVE-2021-3712 Symptoms - Dell published CVE-2021-36347 for iDRAC8 versions before 2.82.82.82 and iDRAC9 versions before 5.00.20.00 - Dell published...

Check Point response to CVE-2021-43267

Symptoms A flaw was discovered in the cryptographic receive code in the Linux kernel's implementation of transparent inter-process communication. An attacker, with the ability to send TIPC messages to the target, can cause memory corruption and escalate privileges on the target system. Cause This...

Check Point Response to Apache Log4j Remote Code Execution

Solution On December 10, 2021, a proof of concept of a vulnerability in the Apache Log4j Java library CVE-2021-44228 was published. The vulnerability may allow unauthenticated threat actors to obtain remote code execution. The severity of the vulnerability was deemed critical. The Check Point...

Check Point Response to CVE-2021-36299, CVE-2021-36300, CVE-2021-36301, CVE-2021-20235 - Dell iDRAC9 Vulnerabilities

Cause CVE-2021-36299 - An SQL injection vulnerability. A remote authenticated malicious user with low privileges may potentially exploit this vulnerability to cause information disclosure or denial of service by supplying specially crafted input data to the affected application. CVE-2021-36300 -...

Check Point response to Apache CVEs - November 2021 for httpd versions between 2.4.41 and 2.4.51

Solution In November 2021, Apache open source published CVEs for httpd versions between 2.4.41 and 2.4.51 see the list of the CVEs in the "Cause" section. Check Point uses the Apache HTTP Server as the Web server for several of its user portals on both the Security Gateway Gaia Portal, Identity...

Check Point Response to CVE-2021-30359 - Harmony Browse installer or SandBlast Agent for Browsers installer can be used for privileges escalation

Cause The Harmony Browse and the SandBlast Agent for Browsers installers must have admin privileges to execute some steps during the installation. Because the MS Installer let regular users to repair their installation, an attacker running the old version of the installer can start the installati...

Mobile Access Portal Agent before Build 800007042 runs Arbitrary Applications

Cause Mobile Access Portal Agent runs predefined Native Applications. If administrator configured such application with environment variables in the path, Portal Agent may run an arbitrary application that was placed in a specially created location. Symptoms - When environment variables are used ...

Check Point Response to Wi-Fi FragAttacks in Quantum Spark appliances

Cause Several CVEs were published on Wi-Fi devices under the name FragAttacks. More information about them can be found at: https://www.fragattacks.com/ The list of new CVEs related to wireless security flaws with fragmented and aggregated frames, is relevant to Check Point Quantum Spark wireless...

Check Point Response to CVE-2021-30357 - partial information disclosure in SNX client for Linux before build 800008302

Cause SNX can accept files with connection commands. If such a file contains wrong commands, SNX prints the line with unrecognized command. Since SNX runs as ROOT, an attacker can supply any file on the system and get one line of its content. If the file contains sensitive information, the attack...

Check Point Response to CVE-2021-21538 - Dell iDRAC9 improper authentication vulnerability

Symptoms - Dell published CVE-2021-21538 for iDRAC9 versions 4.40.00.00 and later, but lower than 4.40.10.00 - A remote unauthenticated attacker could potentially exploit this authentication vulnerability to gain access to the virtual console Solution Important Note: If you have not enabled iDRAC...

Check Point Response to CVE-2021-30356 - denial-of-service vulnerability in Identity Agent

Cause A denial-of-service vulnerability was reported in Check Point Identity Agent before R81.018.0000, which could allow low privileged users to overwrite protected system files. This issue was published as CVE-2021-30356. The write-up for the vulnerability is available at:...