Thousands of internet-facing devices vulnerable to Check Point VPN zero-day

A vulnerability affecting virtual private networks (VPNs) made by the security company Check Point is causing alarm among experts and government agencies, with researchers finding thousands of exposed internet-facing devices globally.

Check Point released a fix for the bug on Monday but noted in an update on Friday that exploitation attempts began on April 7. The bug, CVE-2024-24919, allows hackers to access sensitive information on Check Point’s Security Gateway. In certain scenarios, hackers could move laterally and gain further network privileges, the company said.

The Cybersecurity and Infrastructure Security Agency (CISA) confirmed that the bug is being used in attacks and researchers have seen a spike in exploitation attempts throughout the week. 

The security company Censys said that as of Friday, they had observed 13,800 internet-facing devices globally exposing the affected software products, but they noted that not all of these are necessarily vulnerable to the bug. 

“This exploit is concerning because it doesn’t require any user interaction or privileges, and Check Point is a widely used VPN and network appliance vendor,” Censys researchers said.  

“Perimeter network devices like VPNs are prime targets, as shown by the recent state-sponsored ArcaneDoor campaign, since they are internet-facing and can provide internal network access if compromised.”

Most of the exposed hosts are in Japan and Italy. Censys researchers explained that one of the affected products — Quantum Spark Gateway — is made for small and medium-sized businesses while the Quantum Security Gateway is designed for large companies and data centers. Check Point’s CloudGuard Network, Quantum Maestro and Quantum Scalable Chassis products are also affected. 

More than 91% of the devices exposed to the internet are Quantum Spark Gateways, signaling that “most of the affected organizations may be smaller commercial organizations,” according to Censys. 

Check Point said each of the exploitation attempts they have seen “focus on remote access scenarios with old local accounts with unrecommended password-only authentication.” 

The company said it is working with affected customers to resolve any exploitation. The bug’s severity score was raised from 7.5 to 8.6 on Thursday. 

David Redekop, CEO of cybersecurity firm ADAMnetworks, said the kind of products affected are used widely among organizations in banking and finance, making them a prime target for cybercriminals and brokers who may sell access to others.