CVE-2024-24919
published 2024-05-28CVE-2024-24919: Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN…
PriorityP194high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2024-06-20
Exploited in the wild
EPSS
99.98%
100.0th percentile
Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades. A Security fix that mitigates this vulnerability is available.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| checkpoint | cloudguard_network_security | — | — |
| checkpoint | cloudguard_network_security | — | — |
| checkpoint | cloudguard_network_security | — | — |
| checkpoint | cloudguard_network_security | — | — |
| checkpoint | quantum_security_gateway_firmware | — | — |
| checkpoint | quantum_security_gateway_firmware | — | — |
| checkpoint | quantum_security_gateway_firmware | — | — |
| checkpoint | quantum_security_gateway_firmware | — | — |
| checkpoint | quantum_spark_firmware | — | — |
| checkpoint | quantum_spark_firmware | — | — |
| checkpoint | quantum_spark_firmware | — | — |
| checkpoint | quantum_spark_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit targets Check Point Security Gateways with IPSec VPN, Remote Access VPN, or Mobile Access software blade enabled — scan for unauthenticated arbitrary file read requests (e.g., targeting /etc/passwd) against these appliances. ↗
- →As of July 2024, Pioneer Kitten (Fox Kitten / UNC757 / Parisite) threat actors were actively scanning for Check Point Security Gateways vulnerable to CVE-2024-24919 — correlate mass scan traffic against Check Point gateway IPs. ↗
- →Pioneer Kitten actors use handles 'Br0k3r' and 'xplfinder' on cyber marketplaces to sell domain admin credentials obtained via CVE-2024-24919 exploitation — monitor underground forums for these handles selling Check Point-related access. ↗
- →Qualys WAS QID 150947 can be used to detect CVE-2024-24919 on scanned applications by sending a crafted payload attempting to read /etc/passwd. ↗
- →Pioneer Kitten is associated with the Iranian company 'Danesh Novin Sahand' — use this attribution marker when triaging threat actor infrastructure related to CVE-2024-24919 exploitation. ↗
- ·Exploitation requires the gateway to have IPSec VPN, Remote Access VPN, or Mobile Access software blade enabled — ungated gateways without these blades are not affected. ↗
- ·In-the-wild exploitation has been focused specifically on devices configured with local accounts using password-only authentication — devices using certificate or MFA-based authentication present a reduced risk profile. ↗
- ·Exploitation also requires exposed password files to be present on the device — absence of readable credential files limits the practical impact. ↗
CVSS provenance
nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
vulncheck8.6HIGH
cisa8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Check Point Quantum Security Gateways Information Disclosure Vulnerability
cisa·2024-05-30·CVSS 8.6
CVE-2024-24919 [HIGH] CWE-200 Check Point Quantum Security Gateways Information Disclosure Vulnerability
Vulnerability: Check Point Quantum Security Gateways Information Disclosure Vulnerability
Affected: Check Point Quantum Security Gateways
Check Point Quantum Security Gateways contain an unspecified information disclosure vulnerability. The vulnerability potentially allows an attacker to access information on Gateways connected to the internet, with IPSec VPN, Remote Access VPN or Mobile Access enabled. This issue affects several product lines from Check Point, including CloudGuard Network, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark Appliances.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://support.checkpoint.com/results/sk/sk182336 ; https://nvd.nist.gov/vuln/detail/
VulnCheck
Check Point Quantum Security Gateways Information Disclosure Vulnerability
vulncheck·2024·CVSS 8.6
CVE-2024-24919 [HIGH] CWE-200 Check Point Quantum Security Gateways Information Disclosure Vulnerability
Check Point Quantum Security Gateways Information Disclosure Vulnerability
Check Point Quantum Security Gateways contain an unspecified information disclosure vulnerability. The vulnerability potentially allows an attacker to access information on Gateways connected to the internet, with IPSec VPN, Remote Access VPN or Mobile Access enabled. This issue affects several product lines from Check Point, including CloudGuard Network, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark Appliances.
Affected: Check Point Quantum Security Gateways
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://blog.checkpoint.com/security/enhance
Suricata
ET WEB_SPECIFIC_APPS Checkpoint Quantum Security Gateway Arbitrary File Read Attempt (CVE-2024-24919)
suricata·2024-05-30·CVSS 8.6
CVE-2024-24919 [HIGH] ET WEB_SPECIFIC_APPS Checkpoint Quantum Security Gateway Arbitrary File Read Attempt (CVE-2024-24919)
ET WEB_SPECIFIC_APPS Checkpoint Quantum Security Gateway Arbitrary File Read Attempt (CVE-2024-24919)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Checkpoint Quantum Security Gateway Arbitrary File Read Attempt (CVE-2024-24919)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:14; content:"/clients/MyCRL"; fast_pattern; http.request_body; content:"CSHELL/"; reference:cve,2024-24919; reference:url,support.checkpoint.com/results/sk/sk182337; reference:url,labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919; classtype:attempted-recon; sid:2053031; rev:1; metadata:affected_product CheckPoint_Quantum, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 2024_05_30, cve CVE_2024_24919, deployment Perimeter, deployment
Exploit-DB
Check Point Security Gateway - Information Disclosure (Unauthenticated)
exploitdb·2024-05-31·CVSS 8.6
CVE-2024-24919 [HIGH] Check Point Security Gateway - Information Disclosure (Unauthenticated)
Check Point Security Gateway - Information Disclosure (Unauthenticated)
---
# Exploit Title: Check Point Security Gateway - Information Disclosure (Unauthenticated)
# Exploit Author: Yesith Alvarez
# Vendor Homepage: https://support.checkpoint.com/results/sk/sk182336
# Version: R77.20 (EOL), R77.30 (EOL), R80.10 (EOL), R80.20 (EOL), R80.20.x, R80.20SP (EOL), R80.30 (EOL), R80.30SP (EOL), R80.40 (EOL), R81, R81.10, R81.10.x, R81.20
# CVE : CVE-2024-24919
from requests import Request, Session
import sys
import json
def title():
print('''
_______ ________ ___ ___ ___ _ _ ___ _ _ ___ __ ___
/ ____\ \ / / ____| |__ \ / _ \__ \| || | |__ \| || | / _ \/_ |/ _ \
| | \ \ / /| |__ ______ ) | | | | ) | || |_ ______ ) | || || (_) || | (_) |
| | \ \/ / | __|______/ /| | | |/ /|__ _|______/ /|__ _
Nuclei
Check Point Quantum Gateway - Information Disclosure
nuclei·CVSS 8.6
CVE-2024-24919 [HIGH] Check Point Quantum Gateway - Information Disclosure
Check Point Quantum Gateway - Information Disclosure
Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades. A Security fix that mitigates this vulnerability is available.
Template:
id: CVE-2024-24919
info:
name: Check Point Quantum Gateway - Information Disclosure
author: johnk3r,s4e-io
severity: high
description: |
Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades. A Security fix that mitigates this vulnerability is available.
impact: |
Unauthenticated attackers can read arbitrary files on Check Point Securi
Metasploit
Check Point Security Gateway Arbitrary File Read
metasploit·CVSS 8.6
CVE-2024-24919 [HIGH] Check Point Security Gateway Arbitrary File Read
Check Point Security Gateway Arbitrary File Read
This module leverages an unauthenticated arbitrary root file read vulnerability for Check Point Security Gateway appliances. When the IPSec VPN or Mobile Access blades are enabled on affected devices, traversal payloads can be used to read any files on the local file system. Password hashes read from disk may be cracked, potentially resulting in administrator-level access to the target device. This vulnerability is tracked as CVE-2024-24919.
Bleepingcomputer
CISA gives feds 3 days to patch Check Point VPN bug exploited as zero-day
blogs_bleepingcomputer·2026-06-09·CVSS 9.3
CVE-2026-50751 [CRITICAL] CISA gives feds 3 days to patch Check Point VPN bug exploited as zero-day
## CISA gives feds 3 days to patch Check Point VPN bug exploited as zero-day
## Sergiu Gatlan
CISA has ordered U.S. government agencies to secure their Check Point Remote Access VPN and Mobile Access deployments against a critical vulnerability exploited in zero-day attacks by Qilin ransomware affiliates.
Unauthenticated remote attackers can exploit this security flaw (tracked as CVE-2026-50751 ) to bypass authentication and establish a remote access VPN connection on targeted Mobile Access/SSL VPNs, Remote Access VPNs, or Spark firewalls.
The vulnerability affects only instances configured to use the deprecated IKEv1 key exchange protocol, with security gateways that don't require a machine certificate for connections and accept legacy Remote Access clients.
Israeli cybersecurity com
Rapid7
Critical Check Point VPN Zero-Day Exploited in the Wild (CVE-2026-50751)
blogs_rapid7·2026-06-08·CVSS 8.6
CVE-2026-50751 [HIGH] Critical Check Point VPN Zero-Day Exploited in the Wild (CVE-2026-50751)
## Overview
On June 8, 2026, Check Point published a security advisory for CVE-2026-50751 , a critical authentication bypass vulnerability affecting Check Point Remote Access VPN, Mobile Access, and Spark Firewall products. The vulnerability affects deployments configured to use the deprecated IKEv1 key exchange protocol where gateways accept legacy Remote Access clients and do not require a machine certificate for connections.
CVE-2026-50751, classified as improper authentication ( CWE-287 ), has a CVSS score of 9.3. The vulnerability stems from a logic flow weakness in how Remote Access and Mobile Access components validate certificates during IKEv1 key exchange; successful exploitation allows an unauthenticated attacker to establish a VPN session without providing valid credentials. P
Greynoiseio
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
blogs_greynoiseio·2026-02-02
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Tenable
Frequently Asked Questions About Iranian Cyber Operations
blogs_tenable·2025-06-27
Frequently Asked Questions About Iranian Cyber Operations
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Greynoiseio
GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs
blogs_greynoiseio·2025-02-26·CVSS 9.8
[CRITICAL] GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Qualys
Defense Lessons From the Black Basta Ransomware Playbook
blogs_qualys·2025-02-25
Defense Lessons From the Black Basta Ransomware Playbook
## Table of Contents
Know Your Enemys Playbook
Attackers Move Fast
How Qualys Can Help
The cybersecurity world was rocked last week by a massive leak of Black Basta’s internal communications that emerged from the group’s chat logs. Triggered by internal conflicts and a retaliatory data dump following attacks on Russian banks, the exposed records offer a rare glimpse into Black Basta’s tactics, operations, and leadership.
We’ve analyzed these newly unveiled tactics, and in this blog, we equip security teams with clear, actionable insights. We aim to highlight the key lessons learned—like immediate patching, tighter access controls, and rapid incident response—and provide an urgent call to action. This practical guide aims to help organizations strengthen their defenses against evolving
Qualys
Defense Lessons From the Black Basta Ransomware Playbook | Qualys
blogs_qualys·2025-02-25
Defense Lessons From the Black Basta Ransomware Playbook | Qualys
#### Table of Contents
- Know Your Enemys Playbook
- Attackers Move Fast
- How Qualys Can Help
The cybersecurity world was rocked last week by a massive leak of Black Basta’s internal communications that emerged from the group’s chat logs. Triggered by internal conflicts and a retaliatory data dump following attacks on Russian banks, the exposed records offer a rare glimpse into Black Basta’s tactics, operations, and leadership.
We’ve analyzed these newly unveiled tactics, and in this blog, we equip security teams with clear, actionable insights. We aim to highlight the key lessons learned—like immediate patching, tighter access controls, and rapid incident response—and provide an urgent call to action. This practical guide aims to help organizations strengthen their defenses against ev
Checkpoint
24th February – Threat Intelligence Report
blogs_checkpoint·2025-02-24
CVE-2025-24989 24th February – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 24th February – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 24h February, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Check Point Research covers the recent ByBit hack, one of the largest thefts in digital asset history, its implications for crypto security, and security recommendations. In this event, hackers gained access to an offline Ethereum wallet and stole $1.5 billion worth of digital assets. The attack occurred during a routine
Bleepingcomputer
New NailaoLocker ransomware used against EU healthcare orgs
blogs_bleepingcomputer·2025-02-20·CVSS 8.6
CVE-2024-24919 [HIGH] New NailaoLocker ransomware used against EU healthcare orgs
## New NailaoLocker ransomware used against EU healthcare orgs
## Bill Toulas
A previously undocumented ransomware payload named NailaoLocker has been spotted in attacks targeting European healthcare organizations between June and October 2024.
The attacks exploited CVE-2024-24919 , a Check Point Security Gateway vulnerability, to gain access to targeted networks and deploy the ShadowPad and PlugX malware, two families tightly associated with Chinese state-sponsored threat groups.
Orange Cyberdefense CERT links the attacks to Chinese cyber-espionage tactics, though there's not enough evidence to attribute them to specific groups.
## NailaoLocker details
Orange's researchers report that NailaoLocker is a relatively unsophisticated ransomware strain compared to the most prominent famil
Bleepingcomputer
Iranian hackers work with ransomware gangs to extort breached orgs
blogs_bleepingcomputer·2024-08-28·CVSS 8.6
[HIGH] Iranian hackers work with ransomware gangs to extort breached orgs
## Iranian hackers work with ransomware gangs to extort breached orgs
## Sergiu Gatlan
An Iran-based hacking group known as Pioneer Kitten is breaching defense, education, finance, and healthcare organizations across the United States and working with affiliates of several ransomware operations to extort the victims.
The threat group (also tracked as Fox Kitten, UNC757, and Parisite) has been active since at least 2017 and is believed to have a suspected nexus to the Iranian government.
As CISA, the FBI, and the Defense Department's Cyber Crime Center warned today in a joint advisory, the attackers are monetizing their access to compromised organizations' networks by selling domain admin credentials and full domain control privileges on cyber marketplaces while using the 'Br0k3r' and,
Tenable
AA24-241A : Joint Cybersecurity Advisory on Iran-based Cyber Actors Targeting US Organizations
blogs_tenable·2024-08-28
AA24-241A : Joint Cybersecurity Advisory on Iran-based Cyber Actors Targeting US Organizations
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Cybersecurity Threat Landscape 2024 Midyear Review
blogs_qualys·2024-08-06
Cybersecurity Threat Landscape 2024 Midyear Review
## Table of Contents
Key Takeaways from the Threat Landscape Report 2024
Vulnerability and Threat Analysis in the Cybersecurity Landscape 2024
Cyber Threat Landscape 2024 A Detailed Review
Key Statistics and Their Impact on the 2024 Cybersecurity Landscape
Mid-2024s Most Exploited Vulnerabilities in the Cybersecurity Landscape
Conclusion
As we navigate the complexities of 2024, it’s crucial to pause and reflect on the evolving threat landscape that surrounds us. This moment offers a unique opportunity to scrutinize our triumphs and missteps, understand the events that have decisively shaped our environment, and consider those that have subtly influenced it. By extracting key lessons from our recent experiences, we can fortify our strategies and prepare more effectively for the emerg
Qualys
Qualys Midyear 2024 Threat Landscape Analysis and Insights | Qualys
blogs_qualys·2024-08-06
Qualys Midyear 2024 Threat Landscape Analysis and Insights | Qualys
#### Table of Contents
- Key Takeaways from the Threat Landscape Report 2024
- Vulnerability and Threat Analysis in the Cybersecurity Landscape 2024
- Cyber Threat Landscape 2024 A Detailed Review
- Key Statistics and Their Impact on the 2024 Cybersecurity Landscape
- Mid-2024s Most Exploited Vulnerabilities in the Cybersecurity Landscape
- Conclusion
As we navigate the complexities of 2024, it’s crucial to pause and reflect on the evolving threat landscape that surrounds us. This moment offers a unique opportunity to scrutinize our triumphs and missteps, understand the events that have decisively shaped our environment, and consider those that have subtly influenced it. By extracting key lessons from our recent experiences, we can fortify our strategies and prepare more effectively for
Qualys
Check Point Gateway Info Leak: CVE-2024-24919 Alert | Qualys
blogs_qualys·2024-06-07·CVSS 8.6
CVE-2024-24919 [HIGH] Check Point Gateway Info Leak: CVE-2024-24919 Alert | Qualys
#### Table of Contents
- Understand what is Vulnerability (CVE-2024-24919)
- Security Gateways Affected Versions with Vulnerability
- Impact of the Information Disclosure Vulnerability
- References
Check Point Security Gateway is a secure web gateway that is an on-premises or cloud-delivered network security service. Check Point enforces network security policies, including firewall, VPN, and intrusion prevention capabilities.
Check Point published a zero-day advisory on May 28, 2024, regarding CVE-2024-24919 with a CVSS score of 8.6. As per the advisory, the vulnerability results in attackers accessing sensitive information and gaining domain privileges.
The vulnerability impacts various products from Check Point like CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quan
Qualys
Check Point Security Gateway Information Disclosure Vulnerability (CVE-2024-24919)
blogs_qualys·2024-06-07·CVSS 8.6
CVE-2024-24919 [HIGH] Check Point Security Gateway Information Disclosure Vulnerability (CVE-2024-24919)
## Table of Contents
Understand what is Vulnerability (CVE-2024-24919)
Security Gateways Affected Versions with Vulnerability
Impact of the Information Disclosure Vulnerability
References
Check Point Security Gateway is a secure web gateway that is an on-premises or cloud-delivered network security service. Check Point enforces network security policies, including firewall, VPN, and intrusion prevention capabilities.
Check Point published a zero-day advisory on May 28, 2024, regarding CVE-2024-24919 with a CVSS score of 8.6. As per the advisory, the vulnerability results in attackers accessing sensitive information and gaining domain privileges.
The vulnerability impacts various products from Check Point like CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Sec
Greynoiseio
What’s Going on With Check Point (CVE-2024-24919)?
blogs_greynoiseio·2024-06-04·CVSS 8.6
[HIGH] What’s Going on With Check Point (CVE-2024-24919)?
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Checkpoint
3rd June – Threat Intelligence Report
blogs_checkpoint·2024-06-03
CVE-2024-24919 3rd June – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 3rd June – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 3rd June, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
ShinyHunters, a notorious cybercrime gang offered for sale on a cybercrime forum data of Ticketmaster, ticket sales and distribution company, and of Santander bank. The alleged breaches have resulted in the potential exposure of personal data belonging to millions of customers. Some assumption claim that actor gained access to Ti
Bleepingcomputer
CISA warns of actively exploited Linux privilege elevation flaw
blogs_bleepingcomputer·2024-05-31·CVSS 7.8
CVE-2024-1086 [HIGH] CISA warns of actively exploited Linux privilege elevation flaw
## CISA warns of actively exploited Linux privilege elevation flaw
## Bill Toulas
The vulnerability is caused because the 'nft_verdict_init()' function allows positive values to be used as a drop error within the hook verdict, causing the 'nf_hook_slow()' function to execute a double free when NF_DROP is issued with a drop error that resembles NF_ACCEPT.
Exploitation of CVE-2024-1086 allows an attacker with local access to achieve privilege escalation on the target system, potentially gaining root-level access.
The issue was fixed via a commit submitted in January 2024 , which rejects QUEUE/DROP verdict parameters, thus preventing exploitation.
The fix has been backported to multiple stable kernel versions as listed below:
v5.4.269 and later
v5.10.210 and later
v6.6.15 and later
v
Tenable
CVE-2024-24919: Check Point Security Gateway Information Disclosure Zero-Day Exploited in the Wild
blogs_tenable·2024-05-29·CVSS 8.6
[HIGH] CVE-2024-24919: Check Point Security Gateway Information Disclosure Zero-Day Exploited in the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Check Point releases emergency fix for VPN zero-day exploited in attacks
blogs_bleepingcomputer·2024-05-29·CVSS 8.6
[HIGH] Check Point releases emergency fix for VPN zero-day exploited in attacks
## Check Point releases emergency fix for VPN zero-day exploited in attacks
## Bill Toulas
Check Point has released hotfixes for a VPN zero-day vulnerability exploited in attacks to gain remote access to firewalls and attempt to breach corporate networks.
On Monday, the company first warned about a spike in attacks targeting VPN devices, sharing recommendations on how admins can protect their devices. Later, it discovered the source of the problem, a zero-day flaw that hackers exploited against its customers.
Tracked as CVE-2024-24919 , the high-severity information disclosure vulnerability enables attackers to read certain information on internet-exposed Check Point Security Gateways with remote Access VPN or Mobile Access Software Blades enabled.
"The vulnerability potentially allow
Greynoiseio
Storm⚡️Watch
blogs_greynoiseio
Storm⚡️Watch
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
NoiseLetter June 2024
blogs_greynoiseio
NoiseLetter June 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Recorded Future
RedNovember Targets Government, Defense, and Technology Organizations
blogs_recorded_future
RedNovember Targets Government, Defense, and Technology Organizations
# RedNovember Targets Government, Defense, and Technology Organizations
Note: The analysis cut-off date for this report was July 25, 2025
## Executive Summary
In July 2024, Insikt Group publicly reported on TAG-100, a threat activity group conducting suspected cyber-espionage activity targeting high-profile government, intergovernmental, and private sector organizations globally using the open-source, multi-platform Go backdoor Pantegana. At the time, we did not attribute this activity to a particular country; however, after reviewing all available evidence, we assess that TAG-100 is highly likely a Chinese state-sponsored threat activity group. Accordingly, Insikt Group now tracks this group under the designation RedNovember.
Between June 2024 and July 2025, RedNovember (which overlap
2024-05-28
Published
2024-05-30
Added to CISA KEV
Exploited in the wild