A vital privilege-escalation vulnerability has been found in Verify Level’s Concord SASE (Safe Entry Service Edge) Home windows shopper software program, affecting variations previous to 12.2.
Tracked as CVE-2025-9142, the flaw permits native attackers to jot down or delete recordsdata outdoors the supposed certificates working listing, doubtlessly resulting in system-level compromise.
The vulnerability exists throughout the Service element of Perimeter81 software program (Perimeter81.Service.exe), which operates with SYSTEM privileges.
The flaw stems from inadequate validation of JWT (JSON Net Token) values throughout authentication.
CVE IDProductAffected VersionsSeverityCVE-2025-9142Harmony SASE Home windows ClientBelow 12.2Medium
When customers provoke the Perimeter81 login move via a URI handler, the JWT token is handed to the service by way of an IPC name, however is processed with out correct signature verification.
A malicious actor can craft a specifically designed perimeter81:// URL with a tampered JWT containing listing traversal sequences (../../../) within the tenant ID area.
This bypasses authentication controls and reaches the native service element, which fails to validate the token earlier than processing it.
Technical Assault Chain
The exploitation chain unfolds in two distinct phases. First, the attacker registers a rogue authentication area; notably, p81-falcon.com was obtainable for registration on the time of discovery.
This area passes the shopper’s whitelist validation. The JWT manipulation permits listing traversal, permitting the adversary to power the Perimeter81 service to create folder buildings outdoors the supposed location.
The second section leverages symbolic hyperlink injection. When the GenerateAndLoadCertificates() perform executes, it writes shopper certificates to the attacker-controlled working listing with SYSTEM privileges.
By exploiting Home windows Object Supervisor and RPC Management listing symlinks, an attacker can redirect certificates writes to arbitrary system places comparable to C:WindowsSystem32.
Symlink Assault(supply : amberwolf)
Exploitation Impression
This primitive permits attackers to overwrite vital system recordsdata or inject malicious DLLs. Course of monitoring revealed the service making an attempt to load lacking DLLs from its working listing.
Procmon Hint reveals the output of Lacking DLLs (supply: amberwolf)
By inserting a malicious DLL at these anticipated places, attackers can execute code when the Perimeter81 service restarts, thereby escalating to SYSTEM-level entry.
The vulnerability is additional amplified by the truth that the service’s file-handling logic fails to implement strict belief boundaries between person enter and privileged operations.
Verify Level was notified of the vulnerability on March 16, 2025, and launched a repair in model 12.2 on November 18, 2025. The CVE was publicly disclosed on January 14, 2026.
Organizations utilizing Concord SASE should instantly improve to model 12.2 or later to mitigate the chance of native privilege escalation assaults.
Organizations ought to instantly deploy Concord SASE agent model 12.2 or later, in line with Amberwolf advisory.
Moreover, prohibit native administrative entry and implement utility whitelisting to stop unauthorized DLL injection assaults.
Observe us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.
