Security researchers on Thursday warned an exploited vulnerability linked to attacks against Check Point Software VPN customers is far more serious than previously disclosed. Exploitation started in late April, Mnemonic researchers said Friday in an updated blog post.
The vulnerability, listed as CVE-2024-24919, allows attackers to read information on internet-connected gateways with remote access VPN or mobile access enabled, according to Check Point.
However, researchers at Mnemonic warned the vulnerability allows a hacker to “enumerate and extract password hashes for all local accounts” including those accounts used to connect to Active Directory.
A threat actor can compromise user accounts with weak passwords, leading to further abuse and lateral movement within a network.
The vulnerability allows a threat actor to retrieve all files on a local file system, including password hashes for local accounts, SSH keys, certificates and other critical files, according to Mnemonic.
Researchers at WatchTowr did a deep analysis of what they characterize as a path-traversal vulnerability and following exploitation successfully gained access to every file on the system.
“This is much more powerful than the vendor advisory seems to imply,” WatchTowr researchers said in a Thursday blog post.
Censys data shows 108 internet-exposed CloudGuard Network Security instances, 1,021 Quantum Security Gateways and 12,321 Quantum Spark gateways.
The Cybersecurity and Infrastructure Security Agency added CVE-2024-24919 to its known exploited vulnerabilities catalog on Thursday.
Check Point first observed indications of threat activity as early as April 7, Gil Messing, the company’s chief of staff and head of global corporate communications, told Cybersecurity Dive.
The company remains confident the hotfix released earlier this week is the best way to mitigate the vulnerability, but considers the situation “very serious,” and urges all customers to apply the update.
Check Point also released mitigation steps and instructions to detect compromised environments.
Rapid7 researchers urge users to reset their local account credentials in addition to following the vendor’s recommended mitigations.
“This is a significant threat due to observed active exploitation taking place for the past several weeks, as well as the capacity of intruders to move laterally,” Christian Beek, senior director of threat analytics at Rapid7, said via email. “We also know that many companies either haven’t implemented or don’t properly enforce multifactor authentication, thereby adding to the urgency with which the vendor-supplied hotfixes should be applied.