Back to Intelligence

CVE-2024-24919 and CVE-2024-37079: CISA KEV Alert — Critical Detection and Remediation Guide

SA
Security Arsenal Team
May 22, 2026
5 min read

Introduction

The Cybersecurity and Infrastructure Security Agency (CISA) has added two critical vulnerabilities—CVE-2024-24919 (Check Point Security Gateways) and CVE-2024-37079 (Microsoft .NET)—to its Known Exploited Vulnerabilities (KEV) Catalog. Based on Binding Operational Directive (BOD) 22-01, federal agencies have three weeks to remediate these threats, but private sector organizations should act immediately.

We are seeing active exploitation of CVE-2024-24919 in the wild, where threat actors are targeting internet-facing VPN gateways to gain initial access. This is not a theoretical risk; it is a precursor to hands-on-keyboard intrusion and ransomware deployment.

Technical Analysis

1. CVE-2024-24919 (Check Point Security Gateway)

  • Affected Products: Check Point Security Gateways running GAiA OS.
  • Vulnerable Versions: R80.20, R80.30, R80.40, R81.10, R81.20.
  • CVSS Score: 8.6 (High).
  • Vulnerability Type: Heap-based buffer overflow in the IPSec VPN service.
  • Exploitation Status: Confirmed Active Exploitation.

Defender's View: The vulnerability exists in the vpnd daemon on Check Point gateways. An unauthenticated attacker can send a malicious packet to the IPsec service, triggering a buffer overflow that allows remote code execution (RCE) with root privileges. The attack chain typically involves a single malformed packet reaching the device on UDP port 500 or 4500 (IKE), resulting in a reverse shell back to the attacker's infrastructure.

2. CVE-2024-37079 (Microsoft .NET)

  • Affected Products: Microsoft .NET 8.0, 7.0, and 6.0.
  • CVSS Score: 9.8 (Critical).
  • Vulnerability Type: Remote Code Execution (RCE).
  • Exploitation Status: Exploitation Detected.

Defender's View: This vulnerability allows an attacker to bypass security controls in applications using Visual Studio, specifically related to the MSIX deployment framework. A successful exploit can lead to RCE on the host system running a vulnerable .NET application, potentially pivoting to the broader domain environment.

Detection & Response

SIGMA Rules

YAML
---
title: Potential Check Point VPN Exploitation (CVE-2024-24919)
id: 550d9a23-0f72-4e3a-a8c5-1d2f3b4c5d6e
status: experimental
description: Detects suspicious process spawning by Check Point VPN processes (vpnd/cpd) indicative of exploitation or reverse shell activity.
references:
  - https://support.checkpoint.com/results/sk/sk182336
author: Security Arsenal
date: 2026/05/21
tags:
  - attack.initial_access
  - attack.t1190
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    ParentImage|endswith:
      - '/vpnd'
      - '/cpd'
    Image|endswith:
      - '/sh'
      - '/bash'
      - '/nc'
      - '/netcat'
  condition: selection
falsepositives:
  - Legitimate administrative debugging
level: critical
---
title: Suspicious MSIX Deployment Activity (CVE-2024-37079)
id: 7a3f1c82-9e4b-4d67-bc12-3e5a8f901234
status: experimental
description: Detects execution of MSIX deployment tools with suspicious arguments or paths commonly abused in .NET RCE exploits.
references:
  - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-37079
author: Security Arsenal
date: 2026/05/21
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
    CommandLine|contains:
      - 'Add-AppxPackage'
      - '.msix'
      - '.appx'
  filter:
    CommandLine|contains:
      - 'Program Files'
      - 'Microsoft\\WindowsApps'
  condition: selection and not filter
falsepositives:
  - Legitimate software installation by IT
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for Check Point VPN anomalies via Syslog/CEF
// Note: Adjust DeviceVendor and DeviceProduct based on your CEF normalization
Syslog
| where Facility contains "local4" // Common Check Point facility
| where SyslogMessage has "IKE" or SyslogMessage has "vpn"
| extend Msg = parse_(SyslogMessage)
| where Msg isnull () // Fallback for text parsing if not JSON
| project TimeGenerated, Computer, HostIP, ProcessName, Message
| where Message has "decryption failed" or Message has "packet_parse_error"
| summarize count() by TimeGenerated, Computer, Message
| where count_ > 10

Velociraptor VQL

VQL — Velociraptor
-- Hunt for shell processes parented by Check Point daemons on Linux Gateways
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE ParentName =~ 'vpnd'
   OR ParentName =~ 'cpd'
   OR Name =~ 'nc' OR Name =~ 'netcat'

Remediation Script

Bash / Shell
#!/bin/bash
# Verification and Remediation Script for CVE-2024-24919 (Check Point)
# Run as root on the Security Gateway

echo "[+] Checking Check Point Gateway Version..."

# Get version info (requires clish or expert mode)
VERSION=$(clish -c "show version" | grep "Check Point's products")
echo "Current Version: $VERSION"

# Check for the specific hotfix Take 177 or later for R81.10/R81.20
# Adjust the Jumbo Take ID based on the specific SK in the advisory
INSTALLED_HOTFIXES=$(cpinfo -y all | grep "JUMBO_HOTFIX")

echo "[+] Checking installed Jumbo Hotfixes..."
echo "$INSTALLED_HOTFIXES"

# Check if the service is vulnerable (looking for old vpnd binary timestamp)
VPND_DATE=$(stat -c %y /opt/CPsuite-*/fw1/bin/vpnd 2>/dev/null | cut -d' ' -f1)

echo "[!] vpnd binary date: $VPND_DATE"
echo "[!] If this date is prior to the patch release date of May 2024, you are vulnerable."
echo "[+] Apply the latest Jumbo Hotfix immediately via CPUSE."

Remediation

Immediate Actions

  1. Patch Check Point Gateways (CVE-2024-24919):

    • Vendor Advisory: Check Point Security Advisories sk182336.
    • Required Action: Install the latest Jumbo Hotfix. For R81.10/R81.20, ensure you are on Jumbo Hotfix Take 177 or higher.
    • Deadline: CISA BOD 22-01 requires patching by June 11, 2026 (relative to the alert date), but patch immediately.

  2. Update Microsoft .NET (CVE-2024-37079):

    • Vendor Advisory: Microsoft Security Update Guide.
    • Required Action: Update .NET to the latest patch for versions 8.0, 7.0, and 6.0.
    • Workaround: If patching is delayed, restrict the deployment of unsigned MSIX packages and review application allow-listing policies.

Configuration Hardening

  • Check Point: If immediate patching is impossible, restrict VPN access (fw sam) to known source IP ranges. Disable IPSec VPN temporarily if not in use, though this is highly disruptive.
  • Microsoft: Ensure that only trusted developers can deploy packages via MSIX. Enable Microsoft Defender Application Control (WDAC) to block unsigned packages.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectioncisa-kevcve-2024-24919cve-2024-37079

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action