Check Point Identity Agent Privilege Escalation via Log Collection

CVE-2026-10847 is a local privilege escalation vulnerability affecting Check Point Identity Agent Full on Windows systems. An authenticated local user can exploit improper executable resolution during the log collection process to execute arbitrary code with SYSTEM privileges. This vulnerability matters because it provides a direct path for lateral movement and persistence—an attacker with basic user access can elevate to system-level control on identity infrastructure endpoints. Organizations running Check Point Identity Agent are at risk, particularly in environments where endpoint security and identity management are critical to preventing lateral movement across the network.

While this CVE currently lacks mapped MITRE ATT&CK techniques and Casky has zero matching skills for this specific vulnerability, practitioners using Casky's Claude AI-powered analysis would identify the underlying attack pattern through its 754 security skills: improper code execution control (CWE-427) maps to execution and privilege escalation behaviors. During threat hunt or incident investigation, security teams would look for evidence of suspicious log collection processes spawning child processes with unexpected executable paths, local user process injection attempts targeting system services, and temporal correlations between authentication events and elevated process creation. Extended reasoning across Casky's skill set would surface related defensive techniques—such as application whitelisting, executable validation, and process creation monitoring—enabling practitioners to detect the exploitation chain before privilege escalation completes.