Connect with us

Hi, what are you looking for?


Malware & Threats

PoC Published for Exploited Check Point VPN Vulnerability

PoC code targeting a recent Check Point VPN zero-day has been released as Censys identifies 14,000 internet-accessible appliances.

Proof-of-concept (PoC) code has been released for an actively exploited zero-day vulnerability affecting multiple Check Point Security Gateway iterations.

Disclosed on May 27 and tracked as CVE-2024-24919 (CVSS score of 8.6), the issue is described as an arbitrary file read issue in gateways that have IPSec VPN or Mobile Access blades enabled.

According to Check Point, its CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security gateways, and Quantum Spark appliances are impacted.

“Exploiting this vulnerability can result in accessing sensitive information on the Security Gateway. This, in certain scenarios, can potentially lead the attacker to move laterally and gain domain admin privileges,” Check Point explains in an advisory.

The vulnerability can be exploited over the network without privileges and does not require user interaction, the company notes. If the VPN component is enabled on the gateway, no special conditions are required for successful exploitation.

The company has released hotfixes for the bug, urging customers to install them as an initial mitigation and to implement the additional protection measures described in its advisory, including resetting Gaia OS passwords for all local users and preventing password-only authentication.

As of May 31, Censys observed more than 13,800 Check Point Security Gateways accessible from the internet, but pointed out that not all of them might be vulnerable to CVE-2024-24919. PoC code targeting the flaw was made publicly available on May 30.

“This vulnerability could allow an unauthenticated remote attacker to read local files from the affected Security Gateway, including any exposed sensitive files such as password data, SSH keys, or other credentials,” Censys notes.

Advertisement. Scroll to continue reading.

According to Check Point, while an initial assessment suggested that the zero-day might have been exploited for a month, further investigation revealed that the first exploitation attempts began roughly two months ago, on April 7.

Given the ongoing attacks, the triviality of exploitation, and the fact that multiple discontinued versions of Check Point’s gateways are vulnerable, organizations are advised to apply the recommended mitigations as soon as possible.

Check Point, which has provided indicators of compromise (IoCs) to help customers identify attack attempts, notes that instances with auto updates enabled should have already received the preventive measures.

Related: CISA Warns of Exploited Linux Kernel Vulnerability

Related: Critical Veeam Vulnerability Leads to Authentication Bypass

Related: 1,400 GitLab Servers Impacted by Exploited Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

Check Point Software has appointed Nadav Zafrir as Chief Executive Officer.

BlackFog has named Brenda Robb as President, John Sarantakes as CRO, and Mark Griffith as VP of Strategic Sales.

Former NSA cybersecurity chief Rob Joyce has joined Sandfly Security's Advisory Board.

More People On The Move

Expert Insights