Connect with us

Hi, what are you looking for?


Malware & Threats

Check Point VPN Attacks Involve Zero-Day Exploited Since April

The recently disclosed Check Point VPN attacks involve the zero-day vulnerability CVE-2024-24919, which allows hackers to obtain passwords.

VPN attack

Attempts by threat actors to gain initial access to enterprise networks through Check Point VPNs involved the exploitation of a zero-day vulnerability, and the attacks appear to have started one month ago.

Check Point warned customers earlier this week that it had become aware of “a small number” of attempts to remotely gain access to enterprise networks through logins that leveraged old VPN local accounts protected by password-only authentication. 

The cybersecurity firm initially released a hotfix to prevent password-only logins, but it did not mention the exploitation of a vulnerability.

However, further analysis showed that the attacks actually involved a previously unknown information disclosure vulnerability. Tracked as CVE-2024-24919, the zero-day allows hackers to obtain information on internet-connected network security gateways that have remote access VPN or mobile access enabled. 

CVE-2024-24919 has been found to impact Check Point Security Gateways with IPsec VPN, Remote Access VPN or the Mobile Access blade enabled. Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark products are affected

MDR and threat intelligence firm Mnemonic reported seeing attacks exploiting CVE-2024-24919 in its customers’ environments since April 30.

The company explained that the vulnerability allows threat actors to enumerate and extract password hashes for all local accounts. 

“The full extent of the consequences is still unknown. However, it is known that password hashes of legacy local users with password-only authentication can be extracted, including service accounts used to connect to Active Directory. Weak passwords can be compromised, leading to further misuse and potential lateral movement within the network,” Mnemonic said.

Advertisement. Scroll to continue reading.

“The vulnerability is particularly critical because it does not require any user interaction or privileges, making it easy to exploit remotely,” the company warned.

Mnemonic noted that the attacks appear to be linked to activity it described earlier this month, which involved the misuse of Visual Studio Code for traffic tunneling. In those attacks, threat actors exploited CVE-2024-24919 to extract user information that was then used to move laterally in the compromised network.

Related: New ‘TunnelVision’ Technique Leaks Traffic From Any VPN System

Related: Cisco: Multiple VPN, SSH Services Targeted in Mass Brute-Force Attacks

Related: Thousands of Ivanti VPN Appliances Impacted by Recent Vulnerability

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Satellite cybersecurity company SpiderOak has named Kip Gering as its new Chief Revenue Officer.

Merlin Ventures has appointed cybersecurity executive Andrew Smeaton as the firm’s CISO-in-Residence.

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

More People On The Move

Expert Insights