Check Point's Zero-Day Paradox: The Security Company That Couldn't Secure Itself
How the firm documenting 2025's 47% attack surge became a victim of its own research—and why CVE-2024-24919 reveals systemic firewall vendor failures
Executive Summary
In a stunning display of irony, Check Point Software—the cybersecurity vendor that publishes the industry's most comprehensive threat intelligence reports—suffered a critical zero-day vulnerability (CVE-2024-24919) in May 2024 that exposed 14,000 internet-facing Quantum Security Gateways to information disclosure attacks.
Marquis Ransomware Breach: When Third-Party Vendors Become the Weakest Link in Financial Services
The timing couldn't be worse. Check Point's own 2025 threat intelligence reveals:
- 47% increase in weekly cyberattacks per organization (Q1 2025 vs Q1 2024)
- 126% surge in ransomware attacks globally
- 2,289 ransomware incidents in Q1 2025 alone
- 1,925 average attacks per organization per week
- November 2025: 727 ransomware attacks (22% year-over-year increase)
Yet while Check Point researchers documented this unprecedented threat escalation, the company's own products became exploitation targets—with CVE-2024-24919 added to CISA's Known Exploited Vulnerabilities catalog just 3 days after disclosure, and exploitation beginning within 24 hours of the proof-of-concept release.
This creates a fundamental paradox: Can we trust firewall vendors to protect our infrastructure when they cannot secure their own products?
The answer matters more than ever, because Check Point's 2025 research shows we're facing:
- Education sector: 4,656 weekly attacks (highest targeted)
- Healthcare: 47% year-over-year increase (second most targeted)
- Cl0p ransomware: Exploiting Oracle EBS zero-days in months-long campaign
- Akira ransomware: Pivoting from Cisco to multi-vendor targeting
- GenAI risks: 1 in 35 prompts leak sensitive data across 87% of organizations
This is Check Point's cautionary tale—and why the fourth firewall vendor in our series demonstrates that no vendor is immune to the very threats they profit from documenting.
Breached Company
CVE-2024-24919: The Zero-Day That Humbled Check Point
The Discovery and Disclosure Timeline
May 24, 2024: Check Point discovered suspicious login attempts on VPN clients targeting old local accounts with weak passwords where 2FA was not available. An incident response team was immediately created.
May 27, 2024: Check Point released security advisory for CVE-2024-24919, acknowledging in-the-wild exploitation of their own products.
May 30, 2024:
- watchTowr Labs published technical analysis with working proof-of-concept exploit
- CISA added CVE-2024-24919 to KEV catalog—one of the fastest KEV additions ever (just 3 days after disclosure)
- Federal agencies given deadline of June 20, 2024 to remediate
- First mass exploitation attempts begin
May 31, 2024 9:40am UTC: GreyNoise sensors detect widespread exploitation using PoC code identical to watchTowr's public release—including the exact number of ../ path traversal sequences.
Early June 2024: "Ghost Clan Malaysia" hacktivist group shares vulnerable IP addresses of Check Point Security Gateways on underground forums, accelerating exploitation.
The Technical Vulnerability
CVE-2024-24919 (CVSS 8.6 - High)
- Type: Information Disclosure via Path Traversal
- Impact: Read arbitrary files on affected devices
- Authentication Required: None
- User Interaction: None
- Attack Complexity: Low
The Exploit:
POST /clients/MyCRL HTTP/1.1
Host: <vulnerable_gateway>
Content-Length: 39
aCSHELL/../../../../../../../etc/passwd
This trivial one-line curl request could retrieve:
/etc/passwd- All local user accounts/etc/shadow- Password hashes/etc/ssh/- SSH private keys- Active Directory connection credentials
- ntds.dit database - Complete AD user/group/password hash dump
Watchtowr Labs successfully reverse-engineered the patch in under 2 days and discovered Check Point had significantly downplayed the severity. The vendor initially described it as reading "certain information" when it actually allowed reading any file on the system.
Affected Products (14,000+ Devices Exposed)
Products Vulnerable:
- CloudGuard Network
- Quantum Maestro
- Quantum Scalable Chassis
- Quantum Security Gateways
- Quantum Spark Appliances
Versions Affected:
- R80.20.x
- R80.20SP (EOL)
- R80.40 (EOL)
- R81
- R81.10
- R81.10.x
- R81.20
Configuration Requirements for Exploitation:
- Internet-connected gateway
- IPSec VPN, Remote Access VPN, or Mobile Access Software Blades enabled
Shodan Search Results: Approximately 32,000 Check Point instances exposed to internet, with ~14,000 confirmed vulnerable based on version analysis.
Real-World Exploitation
Mnemonic Security observed attackers:
- Exploiting CVE-2024-24919 to enumerate local accounts
- Extracting password hashes for all accounts
- Specifically targeting the account used to connect to Active Directory
- Dumping ntds.dit from victim networks within 2-3 hours of initial access
- Using compromised credentials for lateral movement
- Misusing Visual Studio Code to tunnel malicious traffic through VPN
Attack Pattern:
Initial Access (CVE-2024-24919)
↓
Extract /etc/shadow hashes
↓
Crack weak passwords / use known defaults
↓
VPN authentication with compromised credentials
↓
Dump Active Directory (ntds.dit)
↓
Lateral Movement across entire domain
↓
Establish persistence / Deploy ransomware
The GreyNoise Analysis: Exploitation Timeline
GreyNoise's honeypot network captured fascinating exploitation patterns:
May 30, 2024 5pm UTC: First attempted exploits detected from Taiwan IP (125.229.221.55)
- Payload:
/clients/MyCRL/../../../..//etc/passwd - This payload doesn't actually work—someone pressed the button before testing
- Same IP had been scanning for HNAP-enabled devices earlier that day
May 31, 2024 9:40am UTC: First working exploits from New York IP (45.88.91.78)
- Payload:
aCSHELL/../../../../../../../etc/shadow - Suspiciously identical to watchTowr's published PoC
- This IP had previously been scanning for Cisco ASA appliances
Exploitation Ramped Rapidly:
- Multiple scanning campaigns emerged within hours
- Various path traversal variations tested
- Difficult to determine attacker intent (which files being targeted)
- Exploitation became widespread within 48 hours of public PoC
Security Careers
GreyNoise Conclusion:
"Unfortunately, we didn't directly observe the 0-day exploitation prior to the advisory being released; presumably, the attacks were targeted and didn't hit our sensor network... With a public proof of concept out, and exploitation quickly ramping up, we recommend patching Check Point as soon as possible!"
Why This Matters: The Downplay Factor
Check Point's Initial Description (May 27):
"The vulnerability potentially allows an attacker to read certain information on Internet-connected Gateways..."
Watchtowr Labs' Analysis (May 30):
Check Point was significantly downplaying the severity. This is actually a path traversal leading to arbitrary file read, allowing attackers to access any file on the appliance, not just "certain information."
Translation: Check Point tried to minimize public perception of the vulnerability's severity, likely to reduce exploitation velocity. This backfired when researchers published the real capabilities, accelerating weaponization.
March 2025: Check Point Breached Again - The CoreInjection Incident
Just when you thought the CVE-2024-24919 lesson was learned, Check Point was breached again—or more accurately, a December 2024 breach was exposed in March 2025 by threat actor "CoreInjection."
