Check Point has issued a warning regarding a critical zero-day vulnerability affecting its Network Security gateway products, which has already been exploited by cybercriminals in the wild. The vulnerability, designated as CVE-2024-24919 and carrying a CVSS score of 8.6, affects numerous products including CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark appliances.
According to Check Point, the vulnerability potentially enables attackers to read sensitive information on gateways connected to the internet that have remote access VPN or mobile access enabled. This issue was flagged after Check Point observed malicious login attempts targeting its VPN devices, notably incidents involving outdated local accounts that rely on insecure password-only authentication methods. This trend has raised alarms, especially in light of the significant rise in attacks aimed at infiltrating corporate networks via VPN services.
Hotfixes have been released for various versions of Check Point’s products, making swift updates imperative for enterprises utilizing affected devices. The available fixes span several versions, including R81.20, R81.10, R81, and R80.40 for Quantum Security Gateway and CloudGuard Network Security, among others.
Concerns about these vulnerabilities come after Check Point identified a series of targeted attack attempts, with a pivotal notification on May 24, 2024, which revealed that specific exploitation efforts had been tied to a new zero-day that affects Security Gateways with IPSec and Remote Access VPN functionalities. Observations indicated that unauthorized actors were exploiting these vulnerabilities to extract credential data and further compromise connected enterprise networks.
Cybersecurity firm mnemonic has reported on exploitation attempts linked to CVE-2024-24919 since late April, emphasizing the severity of the issue. The vulnerability allows attackers to enumerate and retrieve password hashes for local accounts, including those connected to Active Directory. This capability poses a significant risk, especially as weak passwords can be leveraged to move laterally within a network once access is obtained.
An analysis conducted by Censys revealed that over 13,000 internet-facing devices are currently susceptible to this vulnerability, highlighting the widespread exploitation potential. Further examination by security researchers concluded that this vulnerability actually allows for path traversal, enabling access to sensitive files and potentially leading to more significant breaches.
As the situation unfolds, Check Point continues to investigate the attacks and their implications, noting that exploitation attempts began as early as April 7, 2024. The references to techniques aligned with the MITRE ATT&CK framework, such as initial access and lateral movement, underscore the tactics that may be utilized by attackers in these scenarios.
With the public release of proof-of-concept exploits for this vulnerability, the urgency for organizations to implement available patches cannot be overstated. The ongoing threat landscape emphasizes the need for businesses to enhance their cybersecurity measures, particularly in safeguarding network perimeter applications against increasingly sophisticated attacks.
