Attackers have been attempting to exploit the recently disclosed Check Point vulnerability (CVE-2024-24919) for more than a month but many of those attempts have been unsuccessful, thanks to broken payloads or other issues. But recent days have seen an uptick in real exploits in use from a variety of sources.
The vulnerability is a path traversal bug that affects several Check Point products, including CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways and Quantum Spark Appliances, and can allow an attacker to gain access to arbitrary files on a target device. Check Point released an advisory with an update to address the bug last week and research teams, as well as the Cybersecurity and Infrastructure Security Agency (CISA) have been urging affected organizations to apply it as soon as possible.
At the time of the initial disclosure, the majority of the exploit attempts that researchers had seen were not successful.
“Although we tagged this issue very quickly, we actually saw the first exploit attempt (attempt), with a non-working exploit, hitting Sift on May 30, 2024 - presumably somebody thought they’d figured it out and pushed the big “go” button a bit too quickly,” Ron Bowes of GreyNoise said in an analysis of the exploit attempts.
“The word “attempts” is doing a lot of work in that sentence because, from what we can tell, this payload doesn’t actually work.”
But that reprieve didn’t last long, as successful exploits began showing up by May 31 and have increased sharply in the last few days. GreyNoise’s data shows that nearly 800 individual IP addresses have been attempting to exploit the Check Point bug since June 2. There is a proof-of-concept exploit that’s publicly available, and while some attackers have used it, others are trying their luck with other exploits and ways to reach the vulnerability.
While early attacks were likely quite targeted, as most zero-day exploitation tends to be, that is certainly not the case any longer.
“Unfortunately, we didn’t directly observe the 0-day exploitation prior to the advisory being released; presumably, the attacks were targeted and didn’t hit our sensor network (although as we expand our new sensors and personas to real networks, we expect to start seeing this type of 0-day exploitation in Sift!),” Bowes said.