Attacks Surge on Check Point's Recent VPN Zero-Day Flaw

One monitoring firm has detected exploitation attempts targeting CVE-2024-24919 from more than 780 unique IP addresses in the past week.

4 Min Read
 The letters VPN in red on a black background with country names listed
Source: Olivier Le Moal via Alamy Stock Photo

Exploit activity targeting a recent information disclosure flaw in Check Point's VPN technology has soared in recent days, heightening the need for organizations to address the flaw immediately.

The vulnerability, identified as CVE-2024-24919, affects software in multiple versions of Check Point's CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark appliances. All the affected products are Check Point security gateways with IPsec VPN functionality.

Dangerous Vulnerability

Check Point has warned of the vulnerability allowing attackers to access sensitive information in the security gateways that, in some instances, could allow them to move laterally on a compromised network and gain domain admin privileges. The security vendor disclosed the vulnerability May 28 — along with a hotfix for it — amid reports of active exploitation attempts. Check Point has identified the exploitation activity as having started in early April, nearly two months before disclosure.

In a report released this week, Internet traffic scanning firm Greynoise said it had detected rapidly increasing exploitation attempts targeting CVE-2024-24919 since May 31, or shortly after a proof-of-concept for the flaw became publicly available. According to Greynoise, initial attempts to target the vulnerability actually began a day earlier from a Taiwan-based IP address, but those involved a non-working exploit.

Large-Scale Exploitation Attempts

The first real exploit attempt originated from a New York-based IP address. By June 5, Greynoise detected as many as 782 IPs from around the world targeting the vulnerability. "With a public proof of concept out, and exploitation quickly ramping up, we recommend patching Check Point as soon as possible," Greynoise advised.

A Censys scan earlier this week identified some 13,754 Internet-exposed systems running at least one of the three software products that Check Point has identified as affected by CVE-2024-24919. Some 12,100 of the exposed hosts were Check Point Quantum Spark gateway devices, about 1,500 were Quantum Security Gateways and some 137 were Check Point CloudGuard appliances. More than 6,000 of the Internet-exposed hosts were located in Japan. Other countries with a relatively high concentration of exposed Check Point appliances included Italy (1,012), the US (917), and Israel (845).

At the time of Censys' scan, less than 2% of the Internet-exposed Check Point Quantum Spark gateways appeared to be running a patched version of the affected software.

Easy to Find and Exploit

Researchers at WatchTowr who analyzed the Check Point flaw have described it as not too difficult to find and "extremely easy to exploit." Check Point has assigned the flaw a severity rating of 8.6 out of 10 on the CVSS scale and described exploits targeting it as involving low complexity, no user interaction, and no special user privileges.

The US Cybersecurity and Information Security Agency (CISA) has added CVE-2024-24919 to its catalog of known exploited vulnerabilities. All federal civilian executive branch agencies have until June 20 to either apply Check Point's recommended mitigations for the flaw or to discontinue use of the affected products until they have fixed it. In the past, CISA and other organizations such as the FBI and the NSA have repeatedly warned about vulnerabilities in VPNs and other secure access technologies as presenting a high risk to organizations because of the extent to which attackers have targeted these flaws in recent years.

Check Point has recommended that affected organizations install its latest Jumbo Hotfix Accumulators to address the security vulnerability. Organizations that cannot immediately deploy the Jumbo Hotfix Accumulator — basically a package that contains fixes for multiple issues in multiple products — should install the security hotfix for CVE-2024-24919, Check Point noted.

Organizations should install the hotfix on any affected security gateway and cluster where the IPSec VPN Software Blade feature is enabled as part of the Remote Access VPN Community, or when the Mobile Access Software Blade feature is enabled, according to the security vendor.

"This is a critical vulnerability that's being actively exploited in the wild," Censys warned. However, there are a couple of mitigating factors as well, the company noted. For one thing, the vulnerability only affects gateways with certain configurations. Also, "successful exploitation does not necessarily mean full device compromise; other circumstances need to be in place, like the presence of exposed password files on your device's local filesystem."

About the Author(s)

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights