13,800+ Internet-Exposed Check Point Gateways Vulnerable To 0-Day Attacks: Poc Released

A critical zero-day vulnerability, CVE-2024-24919, has been discovered in Check Point Security Gateways, enabling the IPSec VPN or Mobile Access blades.

This vulnerability is actively exploited in the wild, posing a significant threat to organizations worldwide.


Vulnerability Details – CVE-2024-24919

CVE-2024-24919 is an arbitrary file read vulnerability that allows an unauthenticated remote attacker to read sensitive data from affected systems, such as password hashes.

This could enable lateral movement and complete network compromise under the right circumstances.

The vulnerability should be immediately remediated by applying Check Point’s released hotfixes and resetting local account credentials.

Censys observed over 13,800 internet-facing devices globally, exposing the affected software products.

Not all of these are necessarily vulnerable, but the number of exposed devices is concerning.

All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo

This exploit is particularly dangerous because it doesn’t require any user interaction or privileges, and Check Point is a widely used VPN and network appliance vendor.

Exposed Quantum Spark Gateway
Exposed Quantum Spark Gateway

Check Point’s Disclosure

On May 28, 2024, Check Point disclosed the arbitrary file read vulnerability tracked as CVE-2024-24919 in several of their Security Gateway products.

It’s currently awaiting analysis and a CVSS score from NVD. While Check Point’s security advisory describes this as an “information disclosure vulnerability,” researchers at watchtower discovered that it’s an arbitrary file read vulnerability, allowing a remote unauthorized attacker to read any file on the system.

The vulnerability affects the following Check Point products with the Remote Access VPN or Mobile Access Software Blades enabled:

  • CloudGuard Network
  • Quantum Maestro
  • Quantum Scalable Chassis
  • Quantum Security Gateways
  • Quantum Spark Appliances

Impacted versions include R80.20.x, R80.20SP (EOL), R80.40 (EOL), R81, R81.10, R81.10.x, and R81.20.

Patch Availability

Check Point has released the following security updates to address this vulnerability:

  • Quantum Security Gateway and CloudGuard Network Security: R81.20, R81.10, R81, R80.40
  • Quantum Maestro and Quantum Scalable Chassis: R81.20, R81.10, R80.40, R80.30SP, R80.20SP
  • Quantum Spark Gateways: R81.10.x, R80.20.x, R77.20.x

Checking for the affected products in your networks and applying the appropriate updates based on the steps outlined in the vendor advisory is strongly recommended.

According to Check Point, this vulnerability affects only gateways with the Remote Access VPN or Mobile Access Software Blades enabled.

The greatest concentration of these hosts is in Japan, with 6,202 hosts running one of these products, followed by 1,004 hosts in Italy.

Given that the network with the highest concentration of hosts in Japan is OCN NTT Communications Corporation, these may belong to the OCN (Open Computer Network) services operated by NTT Communications Corporation in Japan.

Quantum Spark Gateway and Quantum Security Gateway are similar products for different audiences.

Spark is designed for small to medium businesses, focusing on ease of use, while Security is engineered for midsize to large enterprises and data centers, offering more advanced features.

Interestingly, Spark Gateways are exposed more than the other products—this could indicate that most of the affected organizations may be smaller commercial organizations.

This is a rapidly evolving situation. As we gather more information, we’ll provide further analyses in the upcoming week.

Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.

Divya is a Senior Journalist at Cyber Security news covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.