- Products
- Learn
- Local User Groups
- Partners
- More
Access Control and Threat Prevention Best Practices
5 November @ 5pm CET / 11am ET
Ask Check Point Threat Intelligence Anything!
October 28th, 9am ET / 3pm CET
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
Spark Management Portal and More!
We now have fixes for CVE-2024-24919 for releases dating back to R77.30 with latest JHF.
The procedure to identify vulnerable Security Gateways in sk182336 - Hotfix for CVE-2024-24919 was updated.
The Gateways script was replaced with v3. The updated script checks if the Hotfix is installed.
Security Gateways that were configured to the Check Point's Auto Update process are gradually receiving an update (as of June 2, 2024), which helps protect them from various attempts to exploit the CVE. This is an interim preventative measure until the Hotfix is fully installed on customers’ Security Gateways. It is important to emphasize that installing the Hotfix in sk182336 is the best way to stay protected from this vulnerability.
This is relevant for gateways running R80.40 and above. Instructions to confirm this is enabled are in sk182336.
We now have a specific SK related to CVE-2024-24919 for Quantum Spark appliances! : sk182357
In addition to providing links to updated firmware, this SK lists the specific remediation steps that may be necessary on Quantum Spark Appliances, which includes:
In R81.10 we added a feature to improve VPN performance - named CCCD
This feature is disabled by default, and we know about few advanced customers who are using it.
Customers who enable CCCD are still vulnerable to CVE-2024-24919 even after installing the Hotfix!
YOU MUST DISABLE CCCD TO BECOME PROTECTED!
Instructions below and also on SK182336:
Run the command: vpn cccd status
The expected output is: vpn: 'cccd' is disabled.
If the output differs, stop the CCCD process by running the vpn cccd disable command.
To streamline information flow and simplify actions for our customers and partners, we have consolidated all relevant details about CVE-2024-24919 and its remediation into a single SecureKnowledge article: sk182336.
Please revisit it now, as we have added some updates.
To remain protected from CVE-2024-24919, it is mandatory install this on Check Point Quantum and Spark gateways following fix.
In addition, you should take the following extra security measures, which are documented in sk182336:
Yesterday (May 27th) we delivered a solution that addresses attacks we saw on a small number of customers’ VPN remote access networks.
Today we found the root cause for these attacks and are now releasing a fix. To remain protected, it is mandatory install this on Check Point Quantum and Spark gateways following fix.
The vulnerability we found (CVE-2024-24919) affects Security Gateways with remote access VPN or mobile access blade enabled. It is potentially allowing an attacker to read certain information on Gateways once connected to the internet and enabled with remote access VPN or mobile access.
The fix we developed prevents the use of this vulnerability, once deployed on the relevant Gateways. Install this now to stay protected.
The attempts we’ve seen so far, inline with what we alerted you yesterday, are focusing on remote access on old local accounts with unrecommended password-only authentication within the known small customers we referred to yesterday. Check Point’s network is not affected by this.
More information on today’s notification can be found here.
Customer security is our top priority. We will continue to investigate this issue and provide additional updates.
For additional information, please contact Check Point Support Center or your Check Point representative.
Over the past few months, we have observed increased interest of malicious groups in leveraging remote-access VPN environments as an entry point and attack vector into enterprises.
Attackers are motivated to gain access to organizations over remote-access setups so they can try to discover relevant enterprise assets and users, seeking for vulnerabilities in order to gain persistence on key enterprise assets.
We have recently witnessed compromised VPN solutions, including various cyber security vendors. In light of these events, we have been monitoring attempts to gain unauthorized access to VPNs of Check Point’s customers.
By May 24, 2024 we identified a small number of login attempts using old VPN local-accounts relying on unrecommended password-only authentication method.
We have assembled special teams of Incident Response, Research, Technical Services and Products professionals which thoroughly explored those and any other potential related attempts. Relying on these customers notifications and Check Point’s analysis, the teams found within 24 hours a few potential customers which were subject to similar attempts.
Password-only authentication is considered an unfavourable method to ensure the highest levels of security, and we recommend not to rely on this when logging-in to network infrastructure.
Check Point has released a solution, as a preventative measure to address these unauthorised remote access attempts.
We encourage our customers to enhance their VPN security posture by:
Learn more and receive practical guidance for configuration monitoring and practices to enhance your VPN security posture.
For any additional assistance required, please contact Check Point technical support Center or your local Check Point representative.
We value the collaboration of our customers and dedication of our teams to reach a solution which effectively addresses any such attempts.
I have created an oneliner so that you can test whether your gateway is vulnerable or not.
ONELINER - Check CVE-2024-24919 Vulnerability  
We've installed the hotfix but there is another recommended one available "R81.20 Take 53 Security hardening for Remote Access VPN users". I can't find what this one does?
Hi, the hardening update, is discussed here on the 27th May update: https://support.checkpoint.com/results/sk/sk182337 :
Yes, Check Point has released a Preventative measure tool that blocks local accounts from authenticating with a password, delivered in the form of a hotfix to be installed on the Security Gateway.
Upon installation, password-only authentication methods for local accounts will prevent them from logging into Remote Access VPN
Hi @flachance If you deployed the HF marked by the arrow, you should be good.
One from May 27 is to disable password-only VPN access, and it was released before the CVE was fully analyzed. If you do not have any RAS VPN users with a static password, you don't need it. If you do have those users, you want to move them to MFA. If you cannot, and you suspect some of their credentials can become compromised, you can deploy the HF in question to cut off their access completely.
Hello,
I have installed the hotfix on all gateways, which have different jumbo hotfix.
I have run the script to check if my devices are vulnerable, and it showed on all domains, gateways are still vulnerable.
This is the ouput from a gateway where Jumbo hotfix 26 is installed on R81.20:
Display name Status
R81.20 Take 26 Hotfix for CVE-2024-24919 Installed
R81.20 Take 41 Hotfix for CVE-2024-24919 Installed as part of
R81.20 Take 53 Hotfix for CVE-2024-24919 Available for Download
R81.20 Take 54 Hotfix for CVE-2024-24919 Available for Download
R81.20 Jumbo Hotfix Accumulator Recommended Jumbo Recommended Jumbo Take 26 Installed
R81.20 Jumbo Hotfix Accumulator Recommended Jumbo Take 53 Available for Download
R81.20 Jumbo Hotfix Accumulator Take 54 Available for Download
R81.20 Take 53 Security hardening for Remote Access VPN users Downloaded
** ************************************************************************* **
** Blink Images **
** ************************************************************************* **
Display name Status
<b>R81.20 Security Gateway + JHF T26 for Appliances and Open Servers</b> Installed
On other gateways where the jumbo hotfix 41 or 53 is installed, I applied the related hotfix.
What is it wrong, the hotfix installation (on this case via central deployment) or the script ?
Hi,
I have a GW R81.20 with JHF 53 installed and patched, but device is still vulnerable 😞
Checked with simple curl , from outside and inside networks.
Remove the CVE patch and applied it again, but still vulnerable.
Are there any issue with CVE patch for R81.20?
Hello,
How to check if you are still vulnerabile with curl ?
The script will not detect that the hotfix is installed and your system is patched, it will only inform you that it needs to be installed.
From sk182336:
Could someone please verify if I still require to install the patch in this situation?
Script does not work for this setup sadly 😞
All users have this authentication form
All users have this form of authentication. There are no users with ''password''.
Output from the 'legacy option''
This is the output of the button 'settings' in Allow older clients to connect to this gateway.
If remote access is enabled (like in your case) you should always install the fix that removes the information disclosure issue. If you have LDAP AU defined, you should also recycle those credentials.
If you use VPN/Remote Access, install the patch from sk182336.
This is the case regardless of how the user authenticates or where the password is stored (e.g. in RADIUS).
You should also rotate any relevant LDAP credentials (as noted in sk182336).
Not sure if this makes sense, but I would say maybe change password to something super strong, should suffice.
Andy
That's what sk182336 says to do (rotate the LDAP credentials used).
Thanks for the reply. I still don't fully understand, I have read both SK's again and I can read them in 2 different ways.
If I see this for example:
Analyze the script results.
Do this step if the above script results in "ALERT: the script identified Local Accounts with Password Authentication method." message.
The update is delivered as a Security Gateway Hotfix to enhance the overall security of the product by blocking local accounts that use Check Point password as the only authentication factor.
You would assume if the scripts gives a green light you will not need to install the fix.
"This Hotfix adds to the Security Gateway  a new command blockSFAInternalUsers that allows to block or grant access to internal users with password-only authentication."
Why would I need a hotfix if I do not have users with password-only auth? Or is this hotfix used to not only solve this but more?
"The vulnerability potentially allows an attacker to access information on Gateways connected to the Internet"
So it could happen a LDAP account password has been stolen. Even if I have no local users with only static password (so only MFA) and the scripts points out it is all good?
I will test this in my lab first, I would not feel comfortable asking anyone yet to install the fix, specially based on a feedback so far.
Best,
Andy
The vpnpatch script refers to finding locally defined users with a locally defined passwords.
The patch referred to by that script is specific to disabling locally defined users with locally defined passwords.
It does not mitigate the need to patch for CVE-2024-24919, which is separate from, but related to, the above.
Thank you the the reply.
So to summaries, the patch(hotfix) stated in both SK's will make sure you cannot use locally defined users with password. But also will solve/fix an different issue related to CVE-2024-24919? So even if all my local users are all correctly configured I still need to patch in order to prevent that data get's stolen from the gateway itself? (in the example the LDAP account unit password was listed).
The patches are related but different:
Ah I am getting it now!
So 2 patches
1 for vpn: Remote Access VPN disable local account with only password (NoMFA)
and 1 patch for CVE-2024-24919
If all my users are good (also stated in test script and with MFA) , I would only need the patch for the CVE?
And CVE-2024-24919 is related the info could be stolen from the gateway (like LDAP account unit details).
Thanks a lot!
Thanks for confirming @Lesley
I'm assuming I only need to install the Hotfix circled in red (dated 28-May-2024), and not the previous Hotfix circled in Blue (dated 27-May-2024):
Please confirm this is correct.
Yes, the once circled in red.
Hi All,
If, when runnung the script, you get the following error message:
"Failed to get participating GWs and user-groups"
a solution may be (at least was for me) to modify line 81 of the 'VPNcheck.sh' (v3) script
From:
command = "show-vpn-community-remote-access details-level full"
To:
command = "show-vpn-community-remote-access"
I.e. remove "details-level full"
This let me run the script showing right results.
I hope this will be helpful for somebody.
Cheers
Hi Tomas, 
My name is Itai, I'm a manager in Check Point R&D. 
I will be glad to review the failure (with details-level full), will you kindly share the logs with me so I'll be able to look into it?
I will email you with more details. 
Thank you
Itai
Following install of the hotfix, we're seeing SAML authentication fail, where the callback/post from the IdP gets a 500 response from the gateway/cluster.
So we're rolling the hotfix back for the moment, and will probably chase up with TAC during office hours tomorrow.
Edit: May not be the hotfix that was the cause... merely an unfortunate coincidence with time drifting (due to bogus ntp config) just over 5 mins from the IdP time at the same time as the hotfix was applied (assume I put a 'facepalm' emoji in here, can't find it in the picker)
Hi,
Just checked with a customer that has 10 SAML RAS gateways running. All running R81.10 T139. No issues.
The 500 error could be due too a cert change in Azure. It is possible the IDP metadata object needs to be updated after the cert has been rotated.
Erling
Hi, it may be a silly question but does 81.10 Take 139 cover CVE-2024-24919 or do we need to use Take 141?
We have hotfixes available on top of both versions Take 139 and Take 141.
So if you're using Take 139 (which is recommended Jumbo take for R81.10) you need to install the hotfix on top of this version.
Customers using latest Take 141 version should install hotfix which is available on top of Take 141.
To help you following best practices moving away from local users with passwords, Peter Elmer created a video to demonstrate how to move such users to client certificate authentication instead. This example use P12 cert files on the clients, you can also choose to use CAPI/KeyChain enrollment which is very similar.
Peter is traveling today so I´m posting on his behalf. Please give kudos to him for this and not to me..
Christian
 
					
				
				
			
		
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count | 
|---|---|
| 18 | |
| 16 | |
| 13 | |
| 11 | |
| 10 | |
| 7 | |
| 7 | |
| 6 | |
| 6 | |
| 4 | 
Tue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionThu 30 Oct 2025 @ 03:00 PM (CET)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - EMEAThu 30 Oct 2025 @ 11:00 AM (EDT)
Tips and Tricks 2025 #15: Become a Threat Exposure Management Power User!About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY