Check Point, a leading cybersecurity vendor, has released emergency patches to address a critical zero-day vulnerability in its VPN products that threat actors have actively exploited.
The vulnerability, tracked as CVE-2024-24919, allows attackers to gain unauthorized access to sensitive information on internet-connected gateways with remote access VPN or mobile access enabled.
The vulnerability was first identified amid a surge in attacks targeting VPN devices. Check Point initially warned customers on May 27, 2024, about these attacks exploiting old VPN local accounts with weak, password-only authentication methods.
All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo
The company later pinpointed the root cause as a zero-day flaw, CVE-2024-24919, which has been exploited since at least April 30, 2024.
Affected Products
The vulnerability impacts several Check Point products, including:
- CloudGuard Network
- Quantum Maestro
- Quantum Scalable Chassis
- Quantum Security Gateways
- Quantum Spark Appliances
The affected versions include R80.20.x, R80.20SP (EOL), R80.40 (EOL), R81, R81.10, R81.10.x, and R81.20[4][5][7].
WatchTowr Labs stated that the vulnerability allows attackers to access specific information on compromised gateways, potentially enabling them to retrieve password hashes and other sensitive data.
This can enable lateral movement within the victim’s network, posing significant security risks. Notably, attackers have been observed extracting Active Directory data and using Visual Studio Code to tunnel malicious traffic.
Hotfix & Mitigations
Check Point has released hotfixes for the affected products, which can be applied through the Security Gateway portal. The process takes approximately 10 minutes and requires a reboot.
After installation, login attempts using weak credentials will be blocked and logged automatically.
For those unable to apply the hotfix immediately, Check Point recommends enhancing security by updating Active Directory passwords and using a remote access validation script available on their support site.
Additionally, administrators are advised to rotate passwords for LDAP connections and monitor logs for signs of compromise.
The exploitation of CVE-2024-24919 underscores the critical need for robust security practices and timely updates.
Customers are urged to apply the patches immediately and follow the recommended security measures to protect their networks from further attacks.
Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.