They read one file off the VPN gateway and left with your whole Active Directory

The label on CVE-2024-24919 is “information disclosure,” CVSS 8.6, confidentiality impact only. That sounds like a leak you clean up. What it actually meant, on an internet-facing Check Point Quantum gateway with Remote Access VPN or Mobile Access enabled, was that an unauthenticated attacker could read arbitrary files off the device. Files like the local password hashes. Including the hash for the account the gateway uses to talk to Active Directory. The security firm mnemonic, which reported the in-the-wild exploitation, observed attackers going from that initial file read to extracting ntds.dit, the entire Active Directory database, from victims’ domain controllers within hours.

“Information disclosure” is accurate and useless as a severity guide. The thing being disclosed was the keys to the directory.

What the bug is

CVE-2024-24919 is a path traversal in the gateway’s /clients/MyCRL endpoint. The HTTP request handler used a faulty strstr-based check to validate the requested path, and that check could be bypassed with traversal sequences, letting an unauthenticated remote attacker read files outside the intended directory. The catalog and CVE classify it CWE-200, exposure of sensitive information, but the primitive is arbitrary file read on a security appliance that stores credentials, SSH keys, and configuration in readable files. It affects gateways with the IPSec VPN, Remote Access VPN, or Mobile Access blades enabled, across Quantum Security Gateway, Quantum Spark, Quantum Maestro and Scalable Chassis, and CloudGuard Network, on R80.40 through R81.20.

Check Point published the advisory and hotfixes on May 28, 2024, and CISA added it to the Known Exploited Vulnerabilities catalog on May 30 with a June 20 deadline. The detail that should reshape your timeline: mnemonic observed exploitation going back to April 30, 2024, roughly a month before the advisory existed. This was a zero-day, and underground forums were circulating lists of vulnerable gateway IPs, which is mass targeting, not a few precision strikes.

Why the patch is the easy part

Here’s the operational trap with a file-read bug on a credential store, and it’s the same trap that catches teams with every disclosure-class vulnerability on a sensitive device. Patching closes the hole. It does nothing about what already went out the hole. If your gateway was reachable and unpatched during the exposure window, and that window opened a month before anyone knew, you have to assume the readable secrets were read. The hotfix prevents the next read. It does not un-leak the hash an attacker pulled in May.

This is where “we patched it” becomes a dangerous half-measure. A team applies the hotfix, marks the KEV item closed, and moves on, while the credentials that were sitting in those files are still valid and still in someone else’s hands. For CVE-2024-24919 specifically, the documented attack chain was fast and went straight for the domain: read the gateway’s files, recover the AD service account, authenticate into Active Directory, pull ntds.dit. By the time you’re applying the patch, that sequence may already be days old.

What to do

Treat a CVE-2024-24919 exposure as a credential-compromise incident, not a patch ticket. The order matters.

• Patch first, to stop the bleeding. Apply Check Point’s hotfix for your platform (the relevant sk articles cover Quantum Gateway, Spark, Maestro, and Scalable Chassis). This closes the read primitive.
• Then rotate every credential the gateway could read. Local gateway account passwords, the service account used for AD integration, any SSH keys and certificates stored on the device. The AD service account is the priority, because that’s the pivot from “appliance” to “domain.”
• Assume AD compromise if you were exposed during the window. If your gateway was internet-reachable and unpatched between late April and your patch date, investigate Active Directory as potentially breached. Look for signs of ntds.dit extraction, unexpected domain replication, and new or modified privileged accounts. If you find evidence, this becomes a full AD compromise response, which at the extreme means a domain-wide credential reset including the krbtgt account.
• Tighten the gateway’s exposure going forward. Restrict the management and portal interfaces, limit which blades are enabled to what you actually use, and monitor for path-traversal patterns and unusual /clients/MyCRL requests in the gateway logs.

The reframe

VPN gateways and firewalls keep ending up at the top of the exploited-vulnerability lists for one reason: they’re internet-facing by definition, and they hold the credentials and trust that let them broker access to everything behind them. On a device like that, “read-only” is not a comfort. A file-read bug on the box that stores your AD service account is functionally a credential-theft bug, and the severity that matters is not the CVSS confidentiality rating, it’s how fast an attacker can turn one readable file into domain admin. For CVE-2024-24919, the answer was hours.

So when a disclosure-class CVE lands on a perimeter device, resist the instinct to file it below the RCEs. Ask what’s readable, assume it was read, and rotate accordingly. We flag these the day they hit the catalog and say plainly when “information disclosure” is really “they have your credentials now,” because the gap between patching the device and rotating what it leaked is exactly where the breach keeps living.

Sources

• CISA Known Exploited Vulnerabilities Catalog
• NVD CVE-2024-24919 — 2024-05-28
• Check Point sk182336: Preventative Hotfix for CVE-2024-24919 — 2024-05-28
• Rapid7: CVE-2024-24919 Check Point Security Gateway Information Disclosure — 2024-05-30
• Tenable: CVE-2024-24919 zero-day exploited in the wild — 2024-05-30
• CYFIRMA: Threat actors actively exploiting CVE-2024-24919 — 2024-06