The exploitation of a recently disclosed zero-day vulnerability in Check Point VPN products has been ramping up fast, threat intelligence company GreyNoise reports.
The issue, tracked as CVE-2024-24919 (CVSS score of 8.6) and disclosed last week, could allow an attacker to access sensitive information on Check Point Security Gateways, or move laterally and obtain domain admin privileges.
Impacting multiple discontinued versions of Check Point’s gateways, the flaw has been exploited in the wild since at least April 7, and proof-of-concept (PoC) code targeting it was released over the weekend.
GreyNoise, which started tracking the bug shortly after Check Point’s public disclosure, says it has observed the first exploitation attempts on May 30, but with non-working payloads.
Starting May 31, however, one day after watchTowr published technical details on the bug and PoC code, actual exploitation appeared in GreyNoise’s logs, and the activity has been ramping up ever since.
The vulnerability is a path traversal issue leading to arbitrary file read, allowing an attacker to read any file on the system, and the initial exploitation attempts that GreyNoise observed focused on fetching files containing usernames and passwords.
The initial payload, the threat intelligence firm says, was very similar to watchTowr’s PoC, but other attempts were observed shortly after, using various other payloads.
“Due to the nature of the vulnerability, it’s very hard to determine the actual intent of the attacker – all we know is which file they’re trying to fetch. Whether they’re using that to steal passwords or to test the vulnerability is hard to know,” GreyNoise explains.
To date, the cybersecurity firm’s systems have logged more than 10,000 exploitation attempts targeting CVE-2024-24919, with the most popular payload being used roughly 5,000 times, as of June 4.
GreyNoise data also shows that the exploitation attempts originated from 781 unique IP addresses, with a sharp uptick on June 2 and June 3, a small decrease on June 4, and a sudden drop on June 5.
The drop in IP addresses exploiting CVE-2024-24919 is likely the result of more and more Check Point users deploying the preventive measures and hotfixes that the vendor has made available for roughly a week. Some of these prevention measures were automatically pushed through the AutoUpdated utility.
It is unclear how many Check Point Security Gateways do not run the hotfixes and are potentially exposed to attacks. Over the weekend, Censys warned that it was seeing roughly 14,000 accessible from the internet, albeit it could not distinguish between vulnerable and non-vulnerable instances.
CVE-2024-24919 impacts Check Point’s CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark appliances. Users are advised to apply the available mitigations as soon as possible.
Related: Exploitation of Unpatched D-Link NAS Device Vulnerabilities Soars
Related: Citrix Warns NetScaler ADC Customers of New Zero-Day Exploitation
Related: Exploitation of 5-Year-Old TBK DVR Vulnerability Spikes
This post was originally published on the 3rd party site mentioned in the title of this this site