cbcvebase.
CVE-2024-24919
published 2024-05-28

CVE-2024-24919: Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN…

PriorityP194high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2024-06-20
Exploited in the wild
EPSS
99.98%
100.0th percentile
Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades. A Security fix that mitigates this vulnerability is available.

Affected

12 ranges
VendorProductVersion rangeFixed in
checkpointcloudguard_network_security
checkpointcloudguard_network_security
checkpointcloudguard_network_security
checkpointcloudguard_network_security
checkpointquantum_security_gateway_firmware
checkpointquantum_security_gateway_firmware
checkpointquantum_security_gateway_firmware
checkpointquantum_security_gateway_firmware
checkpointquantum_spark_firmware
checkpointquantum_spark_firmware
checkpointquantum_spark_firmware
checkpointquantum_spark_firmware

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://support.checkpoint.com/results/download/133032
urlhttps://support.checkpoint.com/results/download/133035
urlhttps://support.checkpoint.com/results/download/132956
urlhttps://support.checkpoint.com/results/download/133038
urlhttps://support.checkpoint.com/results/download/133041
urlhttps://support.checkpoint.com/results/download/132959
urlhttps://support.checkpoint.com/results/download/133044
urlhttps://support.checkpoint.com/results/download/133047
urlhttps://support.checkpoint.com/results/download/132962
urlhttps://support.checkpoint.com/results/download/132964
urlhttps://support.checkpoint.com/results/download/133049
urlhttps://support.checkpoint.com/results/download/133051
urlhttps://support.checkpoint.com/results/download/133053
urlhttps://support.checkpoint.com/results/download/132974
urlhttps://support.checkpoint.com/results/download/132972
  • Exploit targets Check Point Security Gateways with IPSec VPN, Remote Access VPN, or Mobile Access software blade enabled — scan for unauthenticated arbitrary file read requests (e.g., targeting /etc/passwd) against these appliances.
  • As of July 2024, Pioneer Kitten (Fox Kitten / UNC757 / Parisite) threat actors were actively scanning for Check Point Security Gateways vulnerable to CVE-2024-24919 — correlate mass scan traffic against Check Point gateway IPs.
  • Pioneer Kitten actors use handles 'Br0k3r' and 'xplfinder' on cyber marketplaces to sell domain admin credentials obtained via CVE-2024-24919 exploitation — monitor underground forums for these handles selling Check Point-related access.
  • Qualys WAS QID 150947 can be used to detect CVE-2024-24919 on scanned applications by sending a crafted payload attempting to read /etc/passwd.
  • Pioneer Kitten is associated with the Iranian company 'Danesh Novin Sahand' — use this attribution marker when triaging threat actor infrastructure related to CVE-2024-24919 exploitation.
  • ·Exploitation requires the gateway to have IPSec VPN, Remote Access VPN, or Mobile Access software blade enabled — ungated gateways without these blades are not affected.
  • ·In-the-wild exploitation has been focused specifically on devices configured with local accounts using password-only authentication — devices using certificate or MFA-based authentication present a reduced risk profile.
  • ·Exploitation also requires exposed password files to be present on the device — absence of readable credential files limits the practical impact.

CVSS provenance

nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
vulncheck8.6HIGH
cisa8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.