Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

PoC Published for Exploited Check Point VPN Vulnerability

PoC code targeting a recent Check Point VPN zero-day has been released as Censys identifies 14,000 internet-accessible appliances.

Proof-of-concept (PoC) code has been released for an actively exploited zero-day vulnerability affecting multiple Check Point Security Gateway iterations.

Disclosed on May 27 and tracked as CVE-2024-24919 (CVSS score of 8.6), the issue is described as an arbitrary file read issue in gateways that have IPSec VPN or Mobile Access blades enabled.

According to Check Point, its CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security gateways, and Quantum Spark appliances are impacted.

“Exploiting this vulnerability can result in accessing sensitive information on the Security Gateway. This, in certain scenarios, can potentially lead the attacker to move laterally and gain domain admin privileges,” Check Point explains in an advisory.

The vulnerability can be exploited over the network without privileges and does not require user interaction, the company notes. If the VPN component is enabled on the gateway, no special conditions are required for successful exploitation.

The company has released hotfixes for the bug, urging customers to install them as an initial mitigation and to implement the additional protection measures described in its advisory, including resetting Gaia OS passwords for all local users and preventing password-only authentication.

As of May 31, Censys observed more than 13,800 Check Point Security Gateways accessible from the internet, but pointed out that not all of them might be vulnerable to CVE-2024-24919. PoC code targeting the flaw was made publicly available on May 30.

“This vulnerability could allow an unauthenticated remote attacker to read local files from the affected Security Gateway, including any exposed sensitive files such as password data, SSH keys, or other credentials,” Censys notes.

Advertisement. Scroll to continue reading.

According to Check Point, while an initial assessment suggested that the zero-day might have been exploited for a month, further investigation revealed that the first exploitation attempts began roughly two months ago, on April 7.

Given the ongoing attacks, the triviality of exploitation, and the fact that multiple discontinued versions of Check Point’s gateways are vulnerable, organizations are advised to apply the recommended mitigations as soon as possible.

Check Point, which has provided indicators of compromise (IoCs) to help customers identify attack attempts, notes that instances with auto updates enabled should have already received the preventive measures.

Related: CISA Warns of Exploited Linux Kernel Vulnerability

Related: Critical Veeam Vulnerability Leads to Authentication Bypass

Related: 1,400 GitLab Servers Impacted by Exploited Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Gabriel Agboruche has been named Executive Director of OT and Cybersecurity at Jacobs.

Data security startup Reco adds Merritt Baer as CISO

Chris Pashley has been named CISO at Advanced Research Projects Agency for Health (ARPA-H).

More People On The Move

Expert Insights