CVE-2024-24919

CVE-2024-24919 is a high-severity vulnerability in Checkpoint Quantum Spark Firmware with a CVSS 3.x base score of 8.6. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-05-30). The underlying weakness is classified as CWE-200.

Key facts

Description

Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades. A Security fix that mitigates this vulnerability is available.

CVE-2024-24919: Check Point VPN Remote Information Disclosure

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE CVE-2024-24919
Published 2024-05-28
CWE CWE-200 (Information Exposure)
CVSS v3 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)
Severity HIGH
EPSS 0.99978 (99.8th percentile)
KEV Yes — added 2024-05-30
Assigner [email protected]

Summary

CVE-2024-24919 is a high-severity information disclosure vulnerability affecting Check Point Security Gateways configured with Remote Access VPN or Mobile Access Software Blades. An unauthenticated, network-facing attacker can leverage this flaw to read certain information from the affected gateway, exposing internal configuration or sensitive data without requiring credentials.

Background

Check Point Quantum Security Gateways, Quantum Spark appliances, and CloudGuard Network Security products provide enterprise-grade VPN and firewall capabilities. The Remote Access VPN and Mobile Access blades allow remote users to connect securely to corporate networks. In mid-2024, Check Point disclosed that these gateways, when internet-facing and configured with the relevant VPN blades, were susceptible to an information disclosure issue. The vulnerability rapidly gained attention due to its high CVSS score, trivial exploitability, and active exploitation in the wild.

Root Cause — CWE-200: Information Exposure

This flaw stems from an Information Exposure weakness (CWE-200). The affected gateway software exposes internal files or data paths through a network-accessible interface that lacks adequate access controls. The precise mechanism is a path traversal or unauthorized file-read condition within the VPN portal or mobile access handler. Because the vulnerable component sits on the network edge and accepts requests without authentication, an attacker can interact with it directly and extract sensitive artifacts — such as internal files, configuration snippets, or cryptographic material — that the application improperly reveals.

Impact

The CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N paints a stark picture:

  • Attack Vector: Network — exploitable remotely over the internet.
  • Attack Complexity: Low — no special conditions or advanced techniques required.
  • Privileges Required: None — fully unauthenticated.
  • User Interaction: None — no victim action needed.
  • Scope: Changed — the vulnerable component can impact resources beyond its own security scope.
  • Confidentiality: High — sensitive information can be read.
  • Integrity / Availability: None — the vulnerability is read-only; it does not directly allow modification or service disruption.

The combination of trivial exploitability and high confidentiality impact makes this a critical exposure for any internet-facing Check Point VPN gateway.

Exploitation Walkthrough (Defensive Perspective)

Ethics caveat: The following description is intended for defenders, threat hunters, and incident responders only. It is intentionally generic and does not provide weaponized exploit code.

Attackers typically identify vulnerable hosts through internet-wide scanning for exposed Check Point VPN login portals (commonly over HTTPS). Once a target is identified, the attacker sends a specially crafted HTTP request to a path or endpoint within the VPN portal that improperly handles file access. The response may contain internal files, configuration data, or certificate-related material. Because the attack is unauthenticated and stateless, it can be automated at scale, which explains the extraordinarily high EPSS score (0.99978) and the rapid addition to the CISA KEV catalog.

Affected and Patched Versions

Affected products and firmware versions (based on CPE data):

  • Check Point Quantum Security Gateway Firmware: R80.40, R81, R81.10, R81.20
  • Check Point Quantum Spark Firmware: R80.20, R80.40, R81, R81.10
  • Check Point CloudGuard Network Security: R80.40, R81, R81.10, R81.20

Note: Exact patched versions and JHF (Hotfix) levels are not available in the NVD feed. Refer to Check Point's official security advisory for specific fix details.

Remediation

  1. Apply vendor patches immediately. Check Point released a security fix; consult SK182336 for the latest Jumbo Hotfix Accumulator or dedicated hotfix.
  2. Restrict internet exposure. If the VPN gateway does not require public internet access, place it behind a firewall or restrict source IPs to trusted remote-user ranges.
  3. Enable multi-layer access controls. Use geo-blocking, certificate-based VPN enforcement, and MFA for all remote access sessions.
  4. Review and rotate credentials. If exploitation is suspected, rotate VPN certificates, shared secrets, and any credentials that may have been exposed.

Detection

  • Monitor inbound HTTP/HTTPS traffic to Check Point VPN portals for anomalous request patterns targeting internal paths or non-standard endpoints.
  • Review gateway logs for unexpected 200 OK responses to unusual URI paths immediately after VPN portal requests.
  • Correlate firewall and WAF alerts with threat-intelligence feeds indicating Check Point exploitation.
  • Hunt for post-exploitation behaviors such as subsequent credential-based access or lateral movement after VPN gateway compromise.

Assessment

With an EPSS of 0.99978 and placement in both the CISA KEV and EU Vulnerability Database as actively exploited since May 30, 2024, this vulnerability is not theoretical — it is a confirmed, in-the-wild threat. The low attack complexity and lack of required privileges make it a prime target for opportunistic and state-level actors alike.

Key lessons:

  1. Edge services are high-value targets. VPN concentrators and remote-access endpoints must be hardened as if they will be attacked daily — because they are.
  2. Timely patching is a control, not a suggestion. The gap between disclosure (May 28) and KEV listing (May 30) was two days, indicating exploitation was already occurring. Organizations with exposure windows measured in weeks or months face unacceptable risk.

References

Frequently asked questions

What is CVE-2024-24919?
Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades. A Security fix that mitigates this vulnerability is available.
How severe is CVE-2024-24919?
CVE-2024-24919 has a CVSS 3.x base score of 8.6, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
Is CVE-2024-24919 being actively exploited?
Yes. CVE-2024-24919 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-05-30, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2024-24919?
CVE-2024-24919 primarily affects Checkpoint Quantum Spark Firmware. In total, 12 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2024-24919?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2024-24919 have an EU (EUVD) identifier?
Yes. CVE-2024-24919 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-22282. It is also flagged as exploited in the EUVD (since 2024-05-30).
When was CVE-2024-24919 published?
CVE-2024-24919 was published on 2024-05-28 and last updated on 2026-06-17.

References

Affected products (12)

Other CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) vulnerabilities

Browse all CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) vulnerabilities →