Check Point disclosed that its remote access VPN solutions had been targeted in ongoing attacks and later confirmed the activity was tied to CVE-2024-24919, a vulnerability affecting multiple Quantum Gateway product lines. The flaw can allow unauthorized reading of certain firewall device information when VPN or Mobile Access functionality is enabled, and early observed exploitation involved older local accounts that still used password-only authentication.
Check Point released a hotfix after updating its advisory, but external researchers said the issue was more severe than first described, that exploitation was relatively simple, and that a proof-of-concept had been published. Reporting indicated exploitation may have been underway since at least 30 April 2024, prompting urgent guidance for organizations to patch exposed devices immediately, review whether internet-facing systems had already been compromised, and follow Check Point validation and remediation guidance.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
By 2024-05-30, external researchers reported that CVE-2024-24919 was more serious and easier to exploit than initially indicated, and a proof-of-concept exploit was published. They also highlighted early exploitation involving old local accounts using password-only authentication.
On 2024-05-28, Check Point updated its advisory to confirm the vulnerability as CVE-2024-24919 and issued a hotfix for affected Quantum Gateway product lines. The flaw allows unauthorized reading of certain firewall device information when VPN or mobile access functionality is enabled.
On 2024-05-27, Check Point disclosed that its remote access VPN solutions had been targeted by attack attempts in recent months and initially advised customers to disable potentially exposed configurations.
Security research reported that exploitation activity targeting what was later identified as CVE-2024-24919 had been occurring since at least 2024-04-30 against internet-exposed Check Point remote access VPN devices.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
kyberturvallisuuskeskus.fi
Open sourcekyberturvallisuuskeskus.fi
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.