Check Point warns that hackers target local VPN accounts, patches flaw
Take action: If you are running any VPN products, review your local authentication and password only authenticated users. If possible disable or move them to stronger authentication. And apply the patch if you are using the relevant CheckPoint products
Learn More
Check Point Software Technologies is warning of attempts by malicious actors to hack a limited number of old VPN local accounts that utilize password-only authentication methods. This follows a series of high-profile attacks targeting remote access VPN environments across various organizations in the U.S. and other regions.
Check Point has observed attempts to breach its customers’ VPNs, identifying a small number of login attempts on May 24 2024, using outdated VPN local accounts with password-only authentication. These attacks did not exploit a software vulnerability but instead leveraged weaker authentication methods.
Check Point recommended that organizations reassess their use of local accounts, advising them to disable unnecessary accounts. They have also released a hotfix to address Information Disclosure risk tracked as CVE-2024-24919 (CVSS score 8.6). This flaw is actively being exploited and there is a proof of concept (POC) exploit available. It impacts Check Point Quantum Gateway and CloudGuard Network versions R81.20, R81.10, R81, R80.40, and Check Point Spark versions R81.10, R80.20.
Check Point is assembling a specialized team comprising incident response, product, and technical service experts to address the issue and investigate further after detecting three global attempts on their devices.
Similar methods have been used to exploit vulnerabilities in VPN devices of vendors like Cisco and Ivanti.
