T1190 Exploit Public-Facing Application
T1005 Data from Local System
External Source IP 203.160.68.12 initiated a malicious POST request targeting CP-Spark-Gateway-01 at 172.16.20.146. The IP is reported as malicious and associated with CVE scanning activity on AbuseIPDB. A secondary related IP 203.160.68.13 also attempted exploitation.
A high severity alert (SOC287) detected exploitation attempts of CVE-2024-24919, a zero-day arbitrary file read vulnerability affecting Check Point Security Gateways. The attacker submitted a crafted traversal payload:
aCSHELL/../../../../../../../../../../etc/passwd
via POST request to /clients/MyCRL.
Web server logs confirm a HTTP 200 response with 1256 bytes returned, indicating probable successful file disclosure of /etc/passwd. A subsequent attempt to access /etc/shadow resulted in HTTP 403, indicating partial blocking.
Event Time Jun 06, 2024 15:12:45 UTC
Alert Triggered Jun 06, 2024 15:12 PM
Network activity confirmed on endpoint Jun 06, 2024 15:14:30
Affected Host CP-Spark-Gateway-01
Destination IP 172.16.20.146
Targeted Endpoint /clients/MyCRL
Log Source /var/log/access.log
External Source IP 203.160.68.12
The attacker exploited CVE-2024-24919 to perform arbitrary file read via directory traversal. The HTTP 200 response and returned payload size strongly suggest successful retrieval of sensitive system data. The vulnerability allows unauthenticated file disclosure on exposed Check Point gateways, potentially leading to credential harvesting