Discover the impact of CVE-2024-24919, a Check Point VPN zero-day flaw, its exploitation methods, and detailed remediation steps to secure your network

Continue reading
On May 27, 2024, Check Point disclosed a high-severity zero-day vulnerability, CVE-2024-24919. This flaw affects Check Point's VPN devices, potentially allowing attackers to gain unauthorized access and read sensitive information.
This Threatfeed aims to analyze the underlying nuances of CVE-2024-24919, leveraging industry standards and best practices.
CVE-2024-24919 is an information disclosure vulnerability.
It affects Check Point Security Gateways with remote Access VPN or Mobile Access Software Blades enabled.
The flaw exists in multiple product versions including R80.20.x, R80.20SP (EOL), R80.40 (EOL), R81, R81.10, R81.10.x, and R81.20.
This vulnerability is classified as high severity. Exploiting CVE-2024-24919 allows attackers to read specific information on internet-exposed gateways.
The primary attack vector involves exploiting remote access scenarios with old local accounts that use weak, password-only authentication methods.
The vulnerability arises due to improper validation of user credentials in the remote access VPN component.
Specifically, the system fails to adequately secure old local accounts, allowing attackers to bypass authentication.

*Blocked Login Attempt*
Attackers exploit this flaw by targeting outdated local accounts configured with weak passwords.
These accounts are typically remnants from older configurations, which may not have been updated to comply with stronger authentication policies.
Check Point released hotfixes for the affected versions. The recommended versions to update are:
After installation, the system automatically blocks login attempts using weak credentials, creating a log entry for each attempt.
Check Point provides a script, `VPNcheck.sh`, for validating remote access configurations. This script helps identify and mitigate risks associated with weak authentication methods.
#!/bin/bash
# VPNcheck.sh - Check Point remote access validation script
# Define variables
GATEWAY_IP="192.168.1.1"
AD_USERNAME="admin"
AD_PASSWORD="new-strong-password"
# Check VPN status
vpn status
# Update AD password
ad_change_password -u $AD_USERNAME -p $AD_PASSWORD -g $GATEWAY_IP
# Review local accounts
local_accounts=$(cat /etc/passwd | grep /home)
echo "Local accounts: $local_accounts"
# Disable unused local accounts
for account in $local_accounts; do
usermod -L $account
echo "Disabled local account: $account"
done
echo "Remote access validation completed."For end-of-life (EOL) versions, hotfixes must be downloaded and applied manually. Check Point provides detailed instructions on their security bulletin.
chmod +x hotfix_installer.sh
./hotfix_installer.shRegularly audit user accounts and authentication methods. Ensure that all accounts comply with current security policies, particularly regarding password strength and multifactor authentication.
Implement network segmentation to limit the exposure of critical systems. Isolate VPN gateways from other network segments to contain potential breaches.
Enable comprehensive logging and monitoring to detect and respond to unauthorized access attempts. Configure alerts for suspicious login attempts and failed authentication events.

Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.