What are Check Point Quantum Security Gateways?
Check Point Quantum Security Gateways are enterprise network security appliances providing firewall, VPN, intrusion prevention, and threat prevention capabilities. They are deployed at network perimeters in enterprise, government, financial, and healthcare organizations worldwide. The Quantum product line includes physical and virtual appliances, with VPN functionality (IPSec VPN, Remote Access VPN, and Mobile Access) commonly used to provide secure remote access. Because they sit at the network boundary and broker all VPN connections, a compromised Check Point gateway gives an attacker a position from which to intercept traffic, harvest credentials, or pivot directly into the corporate network.
Overview
CVE-2024-24919 is an information disclosure vulnerability in Check Point Quantum Security Gateways that allows an unauthenticated remote attacker to read arbitrary files from the gateway — including sensitive configuration files and /etc/shadow password hashes. It affects gateways with IPSec VPN, Remote Access VPN, or Mobile Access enabled. Check Point issued an emergency hotfix on May 27, 2024; CISA added it to the KEV catalog just two days after CVE publication, confirming exploitation was already widespread. The vulnerability was used by ransomware operators and access brokers to gain initial footholds in victim networks.
Affected Versions
| Product | Status |
|---|---|
| CloudGuard Network | Apply hotfix per sk182336 |
| Quantum Scalable Chassis | Apply hotfix per sk182336 |
| Quantum Security Gateways | Apply hotfix per sk182336 |
| Quantum Spark Appliances (SMB) | Apply hotfix per sk182336 |
Refer to Check Point advisory sk182336 for version-specific patch instructions.
Technical Details
CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The vulnerability exists in the gateway's VPN/Mobile Access portal — a web-facing component that handles remote access authentication. A flaw in the portal's request handling allows an attacker to read arbitrary files from the gateway's filesystem by sending a specially crafted request without authentication. The Scope Changed (S:C) rating indicates the read extends beyond the application's intended scope to OS-level files.
Critically, the gateway's /etc/shadow file contains NTLM or bcrypt hashes for local admin accounts. If the gateway is configured to authenticate VPN users against local accounts or stores Active Directory service account credentials, those password hashes can be extracted and cracked offline. An attacker who recovers valid VPN credentials can then authenticate legitimately to the VPN to access the corporate network — making this a complete initial access chain from unauthenticated file read to authenticated network entry.
Discovery
The vulnerability was discovered and disclosed by Check Point's security team in response to observed exploitation. The two-day turnaround from CVE publication to CISA KEV indicates exploitation began before public disclosure — likely discovered through Check Point's incident response engagements, where attackers had already used the vulnerability to breach customer networks.
Exploitation Context
Check Point gateway vulnerabilities are immediately weaponized by threat actors because VPN and firewall appliances represent direct paths into corporate networks and are always internet-facing. In this case, attackers extracted password hashes and cracked them to gain VPN credentials, then used those credentials for ransomware pre-positioning and lateral movement. The same gateway may also have been used to harvest existing VPN session tokens or active user credentials from memory.
The ransomwareUse: true flag reflects that ransomware groups (and access brokers who sell initial access to ransomware affiliates) exploited this vulnerability against enterprise targets before and after the hotfix was available.
Remediation
- Apply the Check Point hotfix from advisory sk182336 immediately to all affected gateway models.
- If the gateway was internet-facing and unpatched for any period after May 27, 2024, assume compromise — rotate all local gateway admin passwords, VPN service account passwords, and Active Directory credentials stored on or accessible from the gateway.
- Review VPN authentication logs for unusual access patterns, new VPN connections from unexpected geographies, or access outside normal business hours.
- Audit which Active Directory service accounts or credentials are stored on or accessible to Check Point gateways; minimize credential exposure.
- Enable multi-factor authentication (MFA) for all VPN remote access connections — MFA prevents cracked password hashes from being immediately usable for VPN access.
- Restrict the gateway's web management and Mobile Access portal to trusted IP ranges rather than the public internet where possible.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2024-24919 |
| Vendor / Product | Check Point — Quantum Security Gateways |
| NVD Published | 2024-05-28 |
| NVD Last Modified | 2025-10-24 |
| CVSS 3.1 Score | 8.6 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
| Severity | HIGH |
| CWE | CWE-200 find similar ↗ |
| CISA KEV Added | 2024-05-30 |
| CISA KEV Deadline | 2024-06-20 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2024-05-27 | Check Point publishes emergency security advisory sk182336 and hotfix |
| 2024-05-28 | CVE published |
| 2024-05-30 | Added to CISA Known Exploited Vulnerabilities catalog — 2 days after publication, confirming active exploitation |
| 2024-06-20 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Check Point Security Advisory — sk182336 | Vendor Advisory |
| NVD — CVE-2024-24919 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |