Surge in Attacks on Check Point VPN Zero-Day Flaw: An Urgent Call for Immediate Action

June 6, 2024

The recent surge in exploit activity targeting a zero-day vulnerability in Check Point's VPN technology has underscored the urgency for organizations to address the flaw without delay. The vulnerability, labeled as CVE-2024-24919, affects software across a range of Check Point's products, including CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark appliances. All these products are Check Point security gateways with IPsec VPN functionality.

The flaw potentially allows attackers to access sensitive information within the security gateways, which in some cases could enable them to move laterally within a compromised network and acquire domain admin privileges. Check Point made the vulnerability public on May 28, providing a hotfix for it, following reports of active exploitation attempts. The company traced the start of the exploitation activity back to early April, almost two months before the disclosure.

Internet traffic scanning company Greynoise reported a rapid increase in exploitation attempts targeting CVE-2024-24919 since May 31, shortly after a proof-of-concept for the flaw was made public. Greynoise detected as many as 782 unique IP addresses from around the globe targeting the vulnerability by June 5. The company advised, "With a public proof of concept out, and exploitation quickly ramping up, we recommend patching Check Point as soon as possible."

A scan by Censys earlier the same week identified approximately 13,754 Internet-exposed systems running at least one of the three software products identified by Check Point as being affected by CVE-2024-24919. More than 6,000 of these Internet-exposed hosts were located in Japan, with other countries such as Italy, the US, and Israel also having a high concentration of exposed Check Point appliances. At the time of the scan, less than 2% of the Internet-exposed Check Point Quantum Spark gateways appeared to have a patched version of the affected software installed.

The vulnerability has been rated 8.6 out of 10 on the CVSS scale by Check Point, indicating its high severity. The company described exploits targeting it as involving low complexity, no user interaction, and no special user privileges. The US Cybersecurity and Information Security Agency (CISA) has added CVE-2024-24919 to its list of known exploited vulnerabilities, mandating all federal civilian executive branch agencies to apply Check Point's recommended mitigations for the flaw by June 20 or to discontinue use of the affected products until they are fixed.

Check Point has advised affected organizations to install its latest Jumbo Hotfix Accumulators to address the security vulnerability. In cases where immediate deployment of the Jumbo Hotfix Accumulator is not possible, organizations should install the security hotfix for CVE-2024-24919. The hotfix should be installed on any affected security gateway and cluster where the IPSec VPN Software Blade feature is enabled as part of the Remote Access VPN Community, or when the Mobile Access Software Blade feature is enabled. Censys warned, "This is a critical vulnerability that's being actively exploited in the wild." However, the company also noted that the vulnerability only affects gateways with certain configurations and successful exploitation does not necessarily mean full device compromise; other circumstances need to be in place, like the presence of exposed password files on your device's local filesystem.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.