Check Point Software
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Check Point Software product.
RSS Feeds for Check Point Software security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Check Point Software products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Check Point Software Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 1 vulnerability in Check Point Software with an average score of 7.5 out of ten. Last year, in 2025 Check Point Software had 2 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Check Point Software in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 1.00.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 1 | 7.50 |
| 2025 | 2 | 6.50 |
| 2024 | 3 | 7.95 |
| 2023 | 3 | 7.60 |
| 2022 | 7 | 6.91 |
| 2021 | 3 | 6.87 |
| 2020 | 7 | 6.70 |
| 2019 | 9 | 7.80 |
It may take a day or so for new Check Point Software vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Check Point Software Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2025-9142 | Jan 14, 2026 |
Local User File Write/Deletion via Harmony SASE Windows Client (Checkpoint)A local user can trigger Harmony SASE Windows client to write or delete files outside the intended certificate working directory. |
|
| CVE-2025-8305 | Dec 22, 2025 |
MS TS ID Agent Local Auth Leakage of Security PoliciesAn authenticated local user can obtain information that allows claiming security policy rules of another user due to sensitive information being printed in plaintext in Identity Agent for Terminal Services debug files. |
|
| CVE-2025-8304 | Dec 22, 2025 |
Local User Can Abuse Check Point Identity Agent Registry for Policy ExposureAn authenticated local user can obtain information that allows claiming security policy rules of another user due to sensitive information being accessible in the Windows Registry keys for Check Point Identity Agent running on a Terminal Server. |
Identity Agent
|
| CVE-2024-6233 | Nov 22, 2024 |
CVE-2024-6233: LPE via Symlink in Forensic Recorder (ZoneAlarm)Check Point ZoneAlarm Extreme Security Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Check Point ZoneAlarm Extreme Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Forensic Recorder service. By creating a symbolic link, an attacker can abuse the service to overwrite arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-21677. |
Zonealarm Extreme Security
|
| CVE-2024-24919 | May 28, 2024 |
Checkpoint VPN Information Disclosure Leading to Remote AuthPotentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades. A Security fix that mitigates this vulnerability is available. |
Cloudguard Network Security
Quantum Security Gateway Firmware Cloudguard Network And others... |
| CVE-2024-24910 | Apr 18, 2024 |
Check Point ZAE NextGen LPE on WindowsA local attacker can erscalate privileges on affected Check Point ZoneAlarm ExtremeSecurity NextGen, Identity Agent for Windows, and Identity Agent for Windows Terminal Server. To exploit this vulnerability, an attacker must first obtain the ability to execute local privileged code on the target system. |
Identity Agent
Zonealarm Extreme Security |
| CVE-2023-28134 | Nov 12, 2023 |
Check Point Harmony Endpoint/ZoneAlarm Extreme Secure PrivEsc via Local AttackLocal attacker can escalate privileges on affected installations of Check Point Harmony Endpoint/ZoneAlarm Extreme Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. |
Endpoint Security
|
| CVE-2023-28130 | Jul 26, 2023 |
CVE-2023-28130: Local Priv Escalation in Cisco Gaia Portal HostnamesLocal user may lead to privilege escalation using Gaia Portal hostnames page. |
Gaia Portal
|
| CVE-2023-28133 | Jul 23, 2023 |
Check Point Endpoint Security Client E87.30 LPE via crafted OpenSSL configLocal privilege escalation in Check Point Endpoint Security Client (version E87.30) via crafted OpenSSL configuration file |
Endpoint Security
|
| CVE-2022-23746 | Nov 30, 2022 |
Cisco SNX bruteforce login vulnerability on IPsec VPN bladeThe IPsec VPN blade has a dedicated portal for downloading and connecting through SSL Network Extender (SNX). If the portal is configured for username/password authentication, it is vulnerable to a brute-force attack on usernames and passwords. |
Ssl Network Extender
|
| CVE-2022-41604 | Sep 27, 2022 |
Check Point ZoneAlarm Extreme Security <v15.8.211.19229 Priv Esc via JunctionCheck Point ZoneAlarm Extreme Security before 15.8.211.19229 allows local users to escalate privileges. This occurs because of weak permissions for the %PROGRAMDATA%\CheckPoint\ZoneAlarm\Data\Updates directory, and a self-protection driver bypass that allows creation of a junction directory. This can be leveraged to perform an arbitrary file move as NT AUTHORITY\SYSTEM. |
Zonealarm
Zonealarm Extreme Security |
| CVE-2022-23745 | Jul 18, 2022 |
A potential memory corruption issue was found in Capsule Workspace Android app (running on GrapheneOS)A potential memory corruption issue was found in Capsule Workspace Android app (running on GrapheneOS). This could result in application crashing but could not be used to gather any sensitive information. |
Capsule Workspace
|
| CVE-2022-23744 | Jul 07, 2022 |
Check Point Endpoint before version E86.50 failed to protect against specific registry change whichCheck Point Endpoint before version E86.50 failed to protect against specific registry change which allowed to disable endpoint protection by a local administrator. |
Endpoint Security
Harmony Endpoint |
| CVE-2021-30361 | May 11, 2022 |
The Check Point Gaia Portal's GUI Clients allowed authenticated administrators with permission for the GUI Clients settings to inject a commandThe Check Point Gaia Portal's GUI Clients allowed authenticated administrators with permission for the GUI Clients settings to inject a command that would run on the Gaia OS. |
Gaia Portal
|
| CVE-2022-23743 | May 11, 2022 |
Check Point ZoneAlarm before version 15.8.200.19118 allows a local actor to escalate privileges during the upgrade processCheck Point ZoneAlarm before version 15.8.200.19118 allows a local actor to escalate privileges during the upgrade process. In addition, weak permissions in the ProgramData\CheckPoint\ZoneAlarm\Data\Updates directory allow a local attacker the ability to execute an arbitrary file write, leading to execution of code as local system, in ZoneAlarm versions before v15.8.211.192119 |
Zonealarm
|
| CVE-2021-30360 | Jan 10, 2022 |
Users have access to the directory where the installation repair occursUsers have access to the directory where the installation repair occurs. Since the MS Installer allows regular users to run the repair, an attacker can initiate the installation repair and place a specially crafted EXE in the repair folder which runs with the Check Point Remote Access Client privileges. |
Endpoint Security
|
| CVE-2021-30358 | Oct 19, 2021 |
Mobile Access Portal Native Applications who's path is defined by the administrator with environment variables may run applicationsMobile Access Portal Native Applications who's path is defined by the administrator with environment variables may run applications from other locations by the Mobile Access Portal Agent. |
Mobile Access Portal Agent
|
| CVE-2021-30357 | Jun 08, 2021 |
SSL Network Extender Client for Linux before build 800008302 reveals part of the contents of the configuration file supplied, whichSSL Network Extender Client for Linux before build 800008302 reveals part of the contents of the configuration file supplied, which allows partially disclosing files to which the user did not have access. |
Ssl Network Extender
|
| CVE-2021-30356 | Apr 22, 2021 |
A denial of service vulnerability was reported in Check Point Identity Agent before R81.018.0000, which couldA denial of service vulnerability was reported in Check Point Identity Agent before R81.018.0000, which could allow low privileged users to overwrite protected system files. |
Identity Agent
|
| CVE-2020-6021 | Dec 03, 2020 |
Check Point Endpoint Security Client for Windows before version E84.20Check Point Endpoint Security Client for Windows before version E84.20 allows write access to the directory from which the installation repair takes place. Since the MS Installer allows regular users to run the repair, an attacker can initiate the installation repair and place a specially crafted DLL in the repair folder which will run with the Endpoint clients privileges. |
Endpoint Security
|
| CVE-2020-6015 | Nov 05, 2020 |
Check Point Endpoint Security for Windows before E84.10 can reach denial of service during clean install of the clientCheck Point Endpoint Security for Windows before E84.10 can reach denial of service during clean install of the client which will prevent the storage of service log files in non-standard locations. |
Endpoint Security
|
| CVE-2020-6014 | Nov 02, 2020 |
Check Point Endpoint Security Client for WindowsCheck Point Endpoint Security Client for Windows, with Anti-Bot or Threat Emulation blades installed, before version E83.20, tries to load a non-existent DLL during a query for the Domain Name. An attacker with administrator privileges can leverage this to gain code execution within a Check Point Software Technologies signed binary, where under certain circumstances may cause the client to terminate. |
Endpoint Security
|
| CVE-2020-6023 | Oct 27, 2020 |
Check Point ZoneAlarm before version 15.8.139.18543Check Point ZoneAlarm before version 15.8.139.18543 allows a local actor to escalate privileges while restoring files in Anti-Ransomware. |
Zonealarm
|
| CVE-2020-6022 | Oct 27, 2020 |
Check Point ZoneAlarm before version 15.8.139.18543Check Point ZoneAlarm before version 15.8.139.18543 allows a local actor to delete arbitrary files while restoring files in Anti-Ransomware. |
Zonealarm
|
| CVE-2020-6020 | Sep 24, 2020 |
Check Point Security Management's Internal CA web management before Jumbo HFAs R80.10 Take 278, R80.20 Take 160, R80.30 Take 210, and R80.40 Take 38Check Point Security Management's Internal CA web management before Jumbo HFAs R80.10 Take 278, R80.20 Take 160, R80.30 Take 210, and R80.40 Take 38, can be manipulated to run commands as a high privileged user or crash, due to weak input validation on inputs by a trusted management administrator. |
Ica Management Portal
|
| CVE-2020-6012 | Aug 04, 2020 |
ZoneAlarm Anti-Ransomware before version 1.0.713 copies files for the report from a directory with low privilegesZoneAlarm Anti-Ransomware before version 1.0.713 copies files for the report from a directory with low privileges. A sophisticated timed attacker can replace those files with malicious or linked content, such as exploiting CVE-2020-0896 on unpatched systems or using symbolic links. This allows an unprivileged user to enable escalation of privilege via local access. |
Zonealarm Anti Ransomware
|
| CVE-2019-8463 | Dec 23, 2019 |
A denial of service vulnerability was reported in Check Point Endpoint Security Client for Windows before E82.10A denial of service vulnerability was reported in Check Point Endpoint Security Client for Windows before E82.10, that could allow service log file to be written to non-standard locations. |
Endpoint Security Clients
|
| CVE-2019-8461 | Aug 29, 2019 |
Check Point Endpoint Security Initial Client for Windows before version E81.30 tries to load a DLL placed in any PATH location on a clean image without Endpoint Client installedCheck Point Endpoint Security Initial Client for Windows before version E81.30 tries to load a DLL placed in any PATH location on a clean image without Endpoint Client installed. An attacker can leverage this to gain LPE using a specially crafted DLL placed in any PATH location accessible with write permissions to the user. |
Capsule Docs Standalone Client
Endpoint Security Remote Access Clients And others... |
| CVE-2019-8459 | Jun 20, 2019 |
Check Point Endpoint Security Client for WindowsCheck Point Endpoint Security Client for Windows, with the VPN blade, before version E80.83, starts a process without using quotes in the path. This can cause loading of a previously placed executable with a name similar to the parts of the path, instead of the intended one. |
Capsule Docs Standalone Client
Endpoint Security Clients Endpoint Security Server Package And others... |
| CVE-2019-8458 | Jun 20, 2019 |
Check Point Endpoint Security Client for WindowsCheck Point Endpoint Security Client for Windows, with Anti-Malware blade installed, before version E81.00, tries to load a non-existent DLL during an update initiated by the UI. An attacker with administrator privileges can leverage this to gain code execution within a Check Point Software Technologies signed binary, where under certain circumstances may cause the client to terminate. |
Capsule Docs
Endpoint Security Clients Remote Access Clients And others... |
| CVE-2019-8452 | Apr 22, 2019 |
A hard-link created from log file archive of Check Point ZoneAlarm up to 15.4.062 or Check Point Endpoint Security client for Windows before E80.96 to any file on the system will get its permission changed soA hard-link created from log file archive of Check Point ZoneAlarm up to 15.4.062 or Check Point Endpoint Security client for Windows before E80.96 to any file on the system will get its permission changed so that all users can access that linked file. Doing this on files with limited access gains the local attacker higher privileges to the file. |
Endpoint Security
Zonealarm |
| CVE-2019-8455 | Apr 17, 2019 |
A hard-link created from the log file of Check Point ZoneAlarm up to 15.4.062 to any file on the system will get its permission changed soA hard-link created from the log file of Check Point ZoneAlarm up to 15.4.062 to any file on the system will get its permission changed so that all users can access that linked file. Doing this on files with limited access gains the local attacker higher privileges to the file. |
Zonealarm
|
| CVE-2019-8453 | Apr 17, 2019 |
Some of the DLLs loaded by Check Point ZoneAlarm up to 15.4.062 are taken from directories where all users have write permissionsSome of the DLLs loaded by Check Point ZoneAlarm up to 15.4.062 are taken from directories where all users have write permissions. This can allow a local attacker to replace a DLL file with a malicious one and cause Denial of Service to the client. |
Zonealarm
|
| CVE-2019-8456 | Apr 09, 2019 |
Check Point IKEv2 IPsec VPN up to R80.30, in some less common conditions, mayCheck Point IKEv2 IPsec VPN up to R80.30, in some less common conditions, may allow an attacker with knowledge of the internal configuration and setup to successfully connect to a site-to-site VPN server. |
Ipsec Vpn
|
| CVE-2018-8790 | Mar 01, 2019 |
Check Point ZoneAlarm version 15.3.064.17729 and below expose a WCF serviceCheck Point ZoneAlarm version 15.3.064.17729 and below expose a WCF service that can allow a local low privileged user to execute arbitrary code as SYSTEM. |
Zonealarm
|
| CVE-2014-7169 | Sep 25, 2014 |
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, whichGNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271. |
Security Gateway
|
| CVE-2014-6271 | Sep 24, 2014 |
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, whichGNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. |
Security Gateway
|
| CVE-2010-5184 | Aug 25, 2012 |
Race condition in ZoneAlarm Extreme Security 9.1.507.000 on Windows XP allows local users to bypass kernel-mode hook handlers, and execute dangerous codeRace condition in ZoneAlarm Extreme Security 9.1.507.000 on Windows XP allows local users to bypass kernel-mode hook handlers, and execute dangerous code that would otherwise be blocked by a handler but not blocked by signature-based malware detection, via certain user-space memory changes during hook-handler execution, aka an argument-switch attack or a KHOBE attack. NOTE: this issue is disputed by some third parties because it is a flaw in a protection mechanism for situations where a crafted program has already begun to execute |
Zonealarm Extreme Security
|
| CVE-2009-1227 | Apr 02, 2009 |
NOTE: this issue has been disputed by the vendorNOTE: this issue has been disputed by the vendor. Buffer overflow in the PKI Web Service in Check Point Firewall-1 PKI Web Service allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long (1) Authorization or (2) Referer HTTP header to TCP port 18624. NOTE: the vendor has disputed this issue, stating "Check Point Security Alert Team has analyzed this report. We've tried to reproduce the attack on all VPN-1 versions from NG FP2 and above with and without HFAs. The issue was not reproduced. We have conducted a thorough analysis of the relevant code and verified that we are secure against this attack. We consider this attack to pose no risk to Check Point customers." In addition, the original researcher, whose reliability is unknown as of 20090407, also states that the issue "was discovered during a pen-test where the client would not allow further analysis. |
Firewall 1 Pki Web Service
|
| CVE-2008-0662 | Feb 08, 2008 |
The Auto Local Logon feature in Check Point VPN-1 SecuRemote/SecureClient NGX R60 and R56 for Windows caches credentials under the Checkpoint\SecuRemote registry key, which has Everyone/Full Control permissions, whichThe Auto Local Logon feature in Check Point VPN-1 SecuRemote/SecureClient NGX R60 and R56 for Windows caches credentials under the Checkpoint\SecuRemote registry key, which has Everyone/Full Control permissions, which allows local users to gain privileges by reading and reusing the credentials. |
Vpn 1 Secureclient
|
| CVE-2001-0682 | Aug 29, 2001 |
ZoneAlarm and ZoneAlarm ProZoneAlarm and ZoneAlarm Pro allows a local attacker to cause a denial of service by running a trojan to initialize a ZoneAlarm mutex object which prevents ZoneAlarm from starting. |
Zonealarm Pro
|