Rising Exploit Activity Targeting Check Point’s VPN Flaw: Urgent Action Required

Exploit activity targeting a recent information disclosure flaw in Check Point’s VPN technology has surged, prompting urgent action from organizations to address the vulnerability promptly. The vulnerability, labeled as CVE-2024-24919, impacts various versions of Check Point’s security gateways with IPsec VPN functionality, including CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark appliances.

Check Point has cautioned that this flaw could allow attackers to access sensitive information within security gateways, potentially enabling lateral movement within compromised networks and obtaining domain admin privileges. Despite Check Point releasing a hotfix for the vulnerability on May 28, active exploitation attempts have been reported since early April, nearly two months prior to disclosure.

Internet traffic scanning firm Greynoise has identified a significant uptick in exploitation attempts targeting CVE-2024-24919 since May 31, coinciding with the release of a public proof-of-concept for the flaw. By June 5, Greynoise detected 782 IPs worldwide attempting to exploit the vulnerability. Furthermore, a Censys scan revealed 13,754 internet-exposed systems running the affected software, with a large concentration in Japan.

Experts have categorized the Check Point flaw as easy to find and exploit, with a severity rating of 8.6 out of 10 on the CVSS scale. The US Cybersecurity and Information Security Agency (CISA) has included CVE-2024-24919 in its list of known exploited vulnerabilities, mandating federal agencies to apply mitigations by June 20. Check Point has advised affected organizations to deploy its latest Jumbo Hotfix Accumulators or the security hotfix specifically for the vulnerability. Failure to address this critical flaw could result in severe consequences for organizations utilizing Check Point’s affected products.