Check Point discovers vulnerability tied to VPN attacks

Check Point Software Technologies disclosed a zero-day vulnerability connected to recent attempted attacks against its VPN technology.

In a blog post earlier this week, Check Point warned that threat actors had targeted a "small number" of customers by attempting to log in to old VPN local accounts that had password-only authentication. The cybersecurity vendor advised customers against using password-only authentication for local accounts and issued a hotfix for its Security Gateway products to block such authentication for those accounts.

In an update to the blog post on Tuesday, Check Point said it discovered the root cause of the attempted logins: a zero-day vulnerability tracked as CVE-2024-24919. According to the update, the vulnerability "potentially allows an attacker to read certain information on Internet-connected Gateways with remote access VPN or mobile access enabled."

The vulnerability affects Check Point products and tools including CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways and Quantum Spark appliances. Check Point released hotfixes for the zero-day flaw and urged customers to apply the patches.

"The attempts we have seen so far, inline with what we alerted to our customers on May 27th, are focusing on remote access on old local accounts with unrecommended password-only authentication," Check Point said in a FAQ for CVE-2024-24919.

Check Point rated the severity of CVE-2024-24919 as high, though no CVSS score has been assigned to the vulnerability yet.

While the vulnerability has been exploited, it's unclear whether any of the attempted attacks resulted in threat actors gaining access to customers' VPNs or networks. Check Point's updated blog post and FAQ both cited "attempts" to gain unauthorized access, but did not indicate whether they were successful.

"As of now, we have not seen any other use of this vulnerability beyond a few customers, and the Check Point network was not affected by this incident," the FAQ said. "As our customers' security is our first priority, we will continue to investigate further, create rapid fixes to address any findings, and actively communicate any relevant updates."

VPNs, along with other edge or network boundary devices, have become popular targets for a variety of threat actors in recent years. With the shift to remote work during the COVID-19 pandemic, government agencies frequently warned that nation-state threat actors were exploiting known vulnerabilities in several VPN products to gain initial access to targeted organizations.

In addition, cybercriminal and ransomware groups have also focused on VPNs. Last year, for example, the Akira and LockBit ransomware gangs targeted Cisco VPNs that were not configured with MFA protection.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.

Rob Wright is a longtime reporter and senior news director for TechTarget Editorial's security team. He drives breaking infosec news and trends coverage. Have a tip? Email him.