13,800+ Check Point Gateways Exposed: 0-Day CVE-2024-24919 Flaw Under Attack

CVE-2024-24919 exploit
Image: Censys

Censys data reveals over 13,800 internet-exposed Check Point gateways, with a significant majority being Quantum Spark Appliances aimed at small and medium-sized businesses, that may be vulnerable to CVE-2024-24919, a zero-day arbitrary file read flaw in Check Point Security Gateways with the IPSec VPN or Mobile Access blades enabled.

While initially disclosed as an “information disclosure” issue, researchers have revealed that the flaw is far more severe – an arbitrary file read vulnerability that allows attackers to access any file on the affected system.

The vulnerability affects a wide range of Check Point products, including popular Quantum and CloudGuard solutions, with versions dating back to 2020. Attackers have been observed exploiting the flaw since at least April 7th, 2024, primarily targeting systems with Remote Access VPN or Mobile Access Software Blades enabled.

Worryingly, security firm Mnemonic has documented cases where attackers used the vulnerability to extract sensitive Active Directory credentials, potentially leading to widespread network compromise.

A proof-of-concept (PoC) for this vulnerability was publicly released on May 30, 2024, further increasing the risk of exploitation. The PoC demonstrates how easily attackers can leverage this flaw to compromise systems.

Image: Censys

As of May 31, 2024, Censys observed 13,802 internet hosts exposing either a CloudGuard instance, Quantum Security, or Quantum Spark gateway. This includes:

  • 141 (1.02%) CloudGuard Network Security instances
  • 1,063 (7.70%) Quantum Security gateways
  • 12,598 (91.28%) Quantum Spark gateways

The greatest concentration of these hosts is in Japan, with 6,202 hosts, followed by 1,004 hosts in Italy. Many of these hosts are part of the OCN (Open Computer Network) services operated by NTT Communications Corporation in Japan.

Check Point has released security updates to address CVE-2024-24919 for the following products:

  • Quantum Security Gateway and CloudGuard Network Security: R81.20, R81.10, R81, R80.40
  • Quantum Maestro and Quantum Scalable Chassis: R81.20, R81.10, R80.40, R80.30SP, R80.20SP
  • Quantum Spark Gateways: R81.10.x, R80.20.x, R77.20.x

Users are strongly advised to check for affected products in their networks and apply the appropriate updates based on the steps outlined in the vendor advisory. It is crucial to note that only gateways with the Remote Access VPN or Mobile Access Software Blades enabled are affected by this vulnerability.