Security News > 2024 > May > Check Point VPN zero-day exploited since beginning of April (CVE-2024-24919)
Attackers have been exploiting CVE-2024-24919, a zero-day vulnerability in Check Point Security Gateways, to pinpoint and extract password hashes for local accounts, which they then used to move laterally in the target organizations' network.
The existence and in-the-wild exploitation of the flaw was revealed by Check Point on Tuesday, a day after they warned that about discovered instances of attackers making login attempts "Using old VPN local-accounts relying on unrecommended password-only authentication method."
According to Check Point, the vulnerability affected all Check Point Security Gateways that had either the Mobile Access Software Blade blade or the IPsec VPN Blade enabled.
Check Point says that "Further investigation revealed that the first exploitation attempts started on April 7, 2024", and that they "Are actively investigating further."
Check Point has released hotfixes for the various affected Secure Gateway appliances and has advised customers to implement them as soon as possible.
Mnemonic has shared a few IP addresses from which attackers performed reconnaissance and exploitation, and Check Point has a more extensive list.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-05-28 | CVE-2024-24919 | Unspecified vulnerability in Checkpoint products Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades. | 8.6 |