Thousands of Internet-connected devices vulnerable to Check Point VPN zero-day attack

A virtual private network (VPN) vulnerability created by security firm Check Point is causing concern among experts and government agencies, with researchers discovering thousands of exposed internet-connected devices around the world.

Check Point released a fix for the bug on Monday, but noted in an update on Friday that attempts to exploit the vulnerability began on April 7. CVE-2024-24919 allows attackers to access sensitive information in Check Point’s Security Gateway. The company says that in some scenarios, hackers can go further and gain further network privileges.

The Cybersecurity and Infrastructure Security Agency (CISA) confirmed that the bug was being exploited in attacks, and researchers observed a sharp increase in the number of attempts to exploit it over the course of the week.

Security firm Censys said as of Friday it had observed 13,800 internet-connected devices around the world running the affected software, but noted that not all of them may be vulnerable to the bug.

“This exploit is concerning because it does not require any user interaction or permissions, and Check Point is a widely used VPN and networking device provider,” Censys researchers said.

“Perimeter network devices such as VPNs are prime targets, as the recent state-sponsored ArcaneDoor campaign demonstrated, because they are connected to the Internet and can provide access to the internal network in the event of a security breach.”

Most exposed hosts are located in Japan and Italy. Censys researchers explained that one of the affected products, Quantum Spark Gateway, is aimed at small and medium-sized businesses, while Quantum Security Gateway is aimed at large businesses and data centers. This also applies to Check Point’s CloudGuard Network, Quantum Maestro and Quantum Scalable Chassis products.

According to Censys, more than 91% of Internet-connected devices are Quantum Spark Gateways, signaling that “the majority of impacted organizations may be smaller commercial organizations.”

Check Point said each of the exploit attempts it has observed “focus on remote access scenarios using old local accounts with password-only authentication not recommended.”

The company said it is working with affected customers to resolve any use cases. On Thursday, the bug’s severity rating was raised from 7.5 to 8.6.

David Redekop, CEO of cybersecurity firm ADAMnetworks, said the affected products are widely used in banking and finance organizations, making them a prime target for cybercriminals and brokers who can sell access to others.

Learn more.