On May 28, 2024, Check Point published an advisory for CVE-2024-24919, a high-severity information disclosure vulnerability (CVSS 8.6) affecting Check Point Security Gateways with IPSec VPN, Remote Access VPN, or Mobile Access Software Blades enabled. The vulnerability was already being actively exploited when disclosed, continuing the 2024 trend of zero-day attacks against network perimeter devices.
The Vulnerability
CVE-2024-24919 is a path traversal vulnerability that allows an unauthenticated remote attacker to read arbitrary files from the Check Point Security Gateway. The flaw exists in the way the gateway processes certain requests, allowing an attacker to traverse the file system and access files outside the intended directory.
The exploitation was trivial. An attacker could send a specially crafted HTTP request to the gateway and read the contents of sensitive files. The most targeted file was /etc/shadow, which contains hashed passwords for local accounts on the gateway, including the password hashes for VPN user accounts configured with password-based authentication.
With the password hashes in hand, attackers could attempt offline cracking. For accounts with weak passwords, this provided valid VPN credentials. For accounts using local authentication without MFA, these credentials were sufficient to establish a full VPN connection to the victim's network.
Exploitation Timeline and Scope
Check Point's advisory noted that they had observed exploitation attempts dating back to at least April 30, 2024, nearly a month before the public disclosure. The initial exploitation targets were predominantly organizations using legacy local accounts with password-only authentication for VPN access.
The Watchtowr Labs research team published a detailed analysis of the vulnerability within days of the advisory, demonstrating how simple the exploitation was. The proof-of-concept showed that a single HTTP POST request to the Security Gateway could extract the contents of any readable file.
Censys scans identified approximately 13,800 Check Point Security Gateways exposed to the internet that were potentially vulnerable. While not all of these would have the vulnerable configuration (VPN blade enabled), the number represented a significant attack surface.
The Pattern Continues
CVE-2024-24919 was the latest in a series of critical vulnerabilities in VPN and gateway products in 2024:
- January 2024: Ivanti Connect Secure CVE-2024-21887 and CVE-2023-46805
- April 2024: Palo Alto PAN-OS CVE-2024-3400
- May 2024: Check Point CVE-2024-24919
Each of these followed the same pattern: a zero-day vulnerability in an internet-facing VPN or gateway appliance, exploited by sophisticated threat actors before patches were available, providing initial access to victim networks.
The concentration of zero-day attacks on perimeter security devices in the first half of 2024 was striking. These devices are the most valuable targets for both espionage-motivated nation-state actors and financially motivated attackers because they combine internet exposure, authentication handling, and deep network access.
Remediation and Response
Check Point released hotfixes for affected products on May 28, the same day as the advisory. The fixes were available for:
- Quantum Security Gateway and CloudGuard Network Security versions R81.20, R81.10, R81, R80.40
- Quantum Maestro and Quantum Scalable Chassis
- Quantum Spark Gateways versions R81.10.x, R80.20.x, R77.20.x
Beyond applying the hotfix, Check Point recommended that organizations:
- Change the password of the Security Gateway's LDAP Account Unit
- Reset passwords for all local VPN users
- Review VPN logs for suspicious authentication events
- Check for unauthorized VPN connections during the exploitation window
For organizations that were running a vulnerable configuration during the exploitation period, a thorough investigation was warranted. The ability to read arbitrary files from the gateway means that attackers could have accessed not just password hashes but also VPN configurations, certificate private keys, and other sensitive data stored on the device.
Defensive Lessons
The recurring theme across all of these VPN zero-days is that organizations need to move beyond password-only authentication for VPN access. Local accounts on VPN appliances with password-based authentication are the most targeted configuration. Multi-factor authentication, preferably using certificate-based or hardware token-based methods, significantly reduces the impact of credential theft.
Additionally, organizations should minimize the data stored on VPN appliances. Password hashes, certificate keys, and configuration files are all high-value targets. Where possible, delegate authentication to a centralized identity provider that the appliance queries in real time rather than storing credentials locally.
Network monitoring for unusual VPN connections remains essential. If an attacker gains valid credentials, the VPN connection itself may look legitimate. However, anomalies in connection timing, source geography, and internal access patterns can still provide detection opportunities.
How Safeguard.sh Helps
Safeguard.sh provides continuous vulnerability monitoring across your entire infrastructure, including network appliances that are often overlooked by application-focused security tools. When zero-days like CVE-2024-24919 are disclosed, Safeguard.sh maps the vulnerability against your deployed Check Point versions and alerts you to exposure. Our policy gates can enforce requirements like minimum firmware versions and patch compliance, ensuring that critical perimeter devices are maintained at current security levels. The ability to see your exposure instantly, rather than waiting for manual inventory checks, is critical when zero-days are being actively exploited.