Increased vulnerability of Check Point Software VPNs revealed by researchers, beyond initial assessments
In a significant cybersecurity development, a privilege escalation and information disclosure vulnerability (CVE-2024-24919) has been identified in Check Point Software VPN components. This vulnerability, related to an untrusted search path in the TrGUI.exe on certain versions, allows local users to gain privileges via a Trojan horse DLL in the working directory.
The discovery of this vulnerability dates back to as early as April 7, and exploitation started in late April. According to Christian Beek, senior director of threat analytics at Rapid7, this is a significant threat due to active exploitation and the capacity of intruders to move laterally within networks.
The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-24919 to its known exploited vulnerabilities catalog, signifying the urgency with which it should be addressed. WatchTowr researchers have stated that the vulnerability is more powerful than the vendor advisory suggests, potentially leading to extensive data breaches and network compromises.
Researchers at WatchTowr have successfully gained access to every file on the system after performing a deep analysis of the path-traversal vulnerability. They found that the vulnerability allows a threat actor to retrieve all files on a local file system, including password hashes for local accounts, SSH keys, certificates, and other critical files.
To mitigate this risk, Check Point has released a hotfix earlier this week, which is considered the best way to address the vulnerability. The company has also provided mitigation steps and instructions to detect compromised environments. Organizations using Check Point VPN infrastructure are urged to urgently update systems to these fixed versions to minimise the risk of exploitation.
In addition, it is recommended to apply the latest patches and hotfixes provided by Check Point, especially the R81.20 Jumbo Hotfix Accumulator released in 2025, which addresses CVE-2024-24919 and related VPN security issues.
Furthermore, monitoring network and endpoint behaviour for anomalies using AI-driven detection tools can help in early detection of exploit attempts and contain attacks without affecting business operations. Implementing best security practices, such as restricting local access to potentially vulnerable systems and auditing installed software versions, can also help reduce the attack surface.
It is also crucial to reset local account credentials in addition to following the vendor's recommended mitigations, especially for accounts with weak passwords, to prevent further abuse and lateral movement within a network.
Censys data shows the presence of numerous internet-connected gateways that could be at risk, including CloudGuard Network Security instances, Quantum Security Gateways, and Quantum Spark gateways. Therefore, it is essential for organisations to prioritise installing the R81.20 hotfix or later updates that resolve CVE-2024-24919, combined with vigilant monitoring, to protect against active exploitation of this privilege escalation flaw.
This trend indicates a growing interest among corporate stakeholders in understanding the security risks associated with their technology infrastructure, with the question: Are we a target? The answer lies in prompt action and vigilance.
- The privilege escalation and information disclosure vulnerability (CVE-2024-24919) identified in Check Point Software VPN components, which could lead to extensive data breaches and network compromises, is a significant threat in network security and general-news, as highlighted by the Cybersecurity and Infrastructure Security Agency (CISA) and WatchTowr researchers.
- In politics and technology, the active exploitation of CVE-2024-24919 underscores the importance of prompt action and vigilance, as organizations using Check Point VPN infrastructure are urged to urgently update systems to fixed versions to minimize the risk of exploitation.
- The growing interest among corporate stakeholders in understanding the security risks associated with their technology infrastructure, as shown by the question: Are we a target?, is a reflection of the impact of cybersecurity vulnerabilities in a world increasingly interconnected by technology.
