Note: This vulnerability remains under active exploitation, and Kroll experts are investigating. If further details are uncovered by our team, updates will be made to the Kroll Cyber Risk blog.
A critical zero-day vulnerability, being tracked as CVE-2024-24919, has been discovered and patched in a number of Check Point products. This vulnerability has a CVSS score of 8.6 assigned by Check Point and is actively being exploited in the wild with proof of concept (POC) exploits available. It impacts Check Point Quantum Gateway and CloudGuard Network versions R81.20, R81.10, R81, R80.40, and Check Point Spark versions R81.10, R80.20.
Check Point's advisory states: “An information disclosure vulnerability exists in Check Point VPN. Successful exploitation of this vulnerability would allow a remote attacker to obtain sensitive information.”
The Kroll Cyber Threat Intelligence (CTI) team assesses that this vulnerability is an arbitrary file read and path traversal vulnerability, which could allow an unauthenticated attacker to read any file on the appliance, including files that contain root credentials to the appliance, and therefore rate it with a score of CVSS: 9.1, Critical. Kroll has observed cases where this vulnerability was leveraged to pivot to the internal network by an unknown threat group.
Kroll assesses that due to the simplicity of exploit, other threat groups will likely leverage this vulnerability. In 2024, ransomware groups have become very adept at leveraging vulnerabilities in edge networking appliances, especially VPN gateways, and therefore it is highly likely that these groups will quickly move to exploit this vulnerability en masse.
Our CTI team recommends following the guidance in the Check Point advisory to install the hotfix.
