A critical zero-day vulnerability, tracked as CVE-2024-24919, is being actively exploited in the wild, targeting Check Point Security Gateways. The flaw allows attackers to extract sensitive information from vulnerable devices, potentially leading to unauthorized network access and lateral movement within corporate environments. Cybersecurity researchers and Check Point have issued urgent warnings, advising administrators to apply security hotfixes immediately to mitigate the significant risk.

The vulnerability impacts Check Point products with the VPN or Mobile Access software blades enabled, a common configuration for organizations supporting remote work. The exploit allows unauthenticated attackers to read certain files on the gateway, creating a pathway to steal credentials and compromise the network perimeter.

Understanding the Impact of CVE-2024-24919

At its core, CVE-2024-24919 is a high-severity information disclosure vulnerability. Attackers are exploiting it to access files that contain sensitive data, most notably password hashes for local accounts configured on the gateway. By cracking these hashes, threat actors can obtain valid credentials for VPN access.

The primary attack vector focuses on legacy or misconfigured local accounts that rely solely on password authentication. Once an attacker gains a foothold on the VPN, they can:

• Establish an authorized connection to the corporate network.
• Pivot to other internal systems, escalating their privileges and access.
• Exfiltrate sensitive data or deploy further malware, such as ransomware.

The zero-day nature of this vulnerability means attackers were exploiting it before a patch was publicly available, leaving many organizations exposed. The simplicity of the exploit makes it a prime target for widespread scanning and automated attacks.

Active Exploitation and Essential Remediation Steps

Security firms began observing active exploitation attempts around May 26, 2024, with attackers scanning the internet for vulnerable Check Point gateways. Evidence suggests that threat actors were attempting to leverage the stolen credentials to log into the VPNs and explore compromised networks. This activity underscores the urgency for immediate action.

Check Point has released a hotfix to address CVE-2024-24919. All organizations using affected products must take the following steps:

1. Apply the Security Hotfix: The most critical step is to install the hotfix provided by Check Point for your specific product version. This patch closes the information disclosure loophole exploited by attackers.
2. Investigate for Compromise: Since the vulnerability was exploited as a zero-day, patching alone is not enough. Security teams must review logs for suspicious login attempts, connections from unusual IP addresses, and any other signs of unauthorized access dating back to late May 2024.
3. Strengthen Authentication: Disable insecure local accounts that use password-only authentication. The best practice is to enforce multi-factor authentication (MFA) for all VPN users to provide an essential layer of security that would render stolen password hashes useless.

By taking these decisive actions, organizations can protect their network perimeter, prevent unauthorized access, and neutralize the threat posed by the active exploitation of CVE-2024-24919.