Skip to main content
root@rebel:~$ cd /news/threats/check-point-cve-2024-24919-cisa-warns-of-ransomware-exploitation_
[TIMESTAMP: 2026-06-09 09:16 UTC] [AUTHOR: Runtime Rebel Intel] [SEVERITY: CRITICAL]

Check Point CVE-2024-24919: CISA Warns of Ransomware Exploitation

AI-Assisted Analysis
READ_TIME: 3 min read
// executive briefing tl;dr
  • [01] Ransomware groups are actively exploiting Check Point VPN gateways to steal credentials and gain full domain access.
  • [02] Impacted systems include Check Point Security Gateways with Remote Access VPN or Mobile Access software blades enabled.
  • [03] Administrators must immediately apply the vendor-provided hotfix and reset passwords for all local accounts on the gateway.

Overview of CVE-2024-24919 Exploitation

The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical information disclosure vulnerability in Check Point Security Gateways to its Known Exploited Vulnerabilities (KEV) catalog. According to BleepingComputer, federal agencies have been ordered to secure their deployments within three days after reports surfaced that the flaw was being weaponized as a Zero-Day by Ransomware affiliates.

The CVE identified as CVE-2024-24919 resides in the Remote Access VPN and Mobile Access Software Blades. If left unpatched, the vulnerability allows an unauthenticated remote attacker to read sensitive information on the gateway. This typically includes the /etc/shadow file, which contains hashed passwords for local accounts. For many organizations, the compromise of these credentials serves as the primary entry point for a wider network intrusion.

Technical Analysis: How Attackers Weaponize the Flaw

The exploit is particularly dangerous because it does not require user interaction or prior authentication. Threat actors are utilizing this flaw to bypass the perimeter and initiate Lateral Movement across the victim’s infrastructure. Security researchers have observed that TTP used in these attacks involve targeting local accounts that rely solely on password-only authentication.

Once the attacker gains access to the password hashes, they can use offline brute-force or dictionary attacks to recover the plain-text passwords. Because many administrative accounts on these gateways are local and may lack multi-factor authentication (MFA), they are prime targets. Once a local account with high privileges is compromised, the attacker can move to the Domain Controller or other critical assets to deploy a C2 framework or execute data exfiltration scripts.

Detecting Qilin Ransomware VPN Exploitation

Intelligence reports indicate that affiliates of the Qilin ransomware group have been specifically linked to the exploitation of this vulnerability. Organizations should prioritize detecting Qilin ransomware VPN exploitation by auditing their security gateway logs for unusual file access patterns, specifically attempts to read system configuration files. Monitoring for unauthorized logins originating from unexpected geographic locations or known malicious IP addresses is essential for any SOC tasked with defending these environments.

Mitigation and Response Strategies

Check Point has released a hotfix for all affected versions, including R80.40, R81, R81.10, and R81.20. It is important to note that merely applying the patch may not be sufficient if the gateway has already been compromised. Defenders must follow comprehensive Check Point CVE-2024-24919 mitigation steps to ensure the persistence of the threat actor is removed.

Check Point VPN Vulnerability Patch Guidance

To remediate the risk, security teams should execute the following actions immediately:

  • Apply Security Updates: Deploy the official Check Point hotfix to all Security Gateways with the affected blades enabled.
  • Credential Rotation: Reset the passwords for all local accounts on the gateway. This is a critical step because the attackers may have already harvested the hashes prior to the patch application.
  • Audit Authentication Methods: Disable password-only authentication for local accounts where possible. Transitioning to certificate-based authentication or integrating MFA significantly reduces the success rate of these exploits.
  • Inspect Gateway Logs: Search for historical evidence of exploitation. Check Point has provided specific indicators and commands for administrators to verify if the /etc/shadow file was accessed by an unauthorized entity.

Given that CISA has provided a strict three-day deadline for federal agencies, private sector organizations should treat this with the same level of urgency. This vulnerability represents a high-impact risk to any organization relying on Check Point for remote access security.

Advertisement