Hackers exploit outdated VPN accounts of Check Point Software users for cyber attacks
Check Point Software Technologies has assembled a team of incident response, product, and technical service experts to investigate a series of VPN-targeting attacks that have impacted its customers worldwide. The attacks, which have been ongoing since at least July 7, 2025, have affected countries including the U.S., Vietnam, Germany, France, and the U.K., primarily impacting sectors such as cryptocurrency users.
The initial exploitation attempts targeting Check Point VPN vulnerabilities, notably CVE-2024-24919, have been linked to state-sponsored actors, including China and North Korea. Threat actors leverage hijacked trusted links and social engineering tactics, such as fake Discord verification bots, to deploy multi-stage malware through trusted cloud services, evading detection. Some attacks have been traced back to zero-day vulnerabilities, allowing remote code execution without authentication.
The attacks on Check Point customers follow months of threat activity targeting organizations that use VPN devices for secure remote access. Other vendors, including Cisco and Ivanti, have also been targeted in recent months by hackers exploiting critical vulnerabilities in attacks against organizations using edge devices.
Check Point Software Technologies has warned its customers about malicious actors attempting to hack old VPN local accounts with password-only authentication methods. The company has released a hotfix that customers can download to block this type of activity. Check Point Software Chief of Staff, Gil Messing, stated that old, unused accounts with password-only authentication are an unrecommended cyber hygiene habit.
To defend against these attacks, experts recommend the immediate application of vendor patches addressing critical VPN vulnerabilities, such as Check Point CVE-2024-24919, Ivanti CVE-2025-0282, and SonicWall SMA vulnerabilities. Other defenses include monitoring for unauthorized use of trusted links, deploying strong authentication, restricting remote access, using advanced threat detection, and preparing for social engineering attempts.
For up-to-date and comprehensive analysis, review Check Point Research publications and reports from cybersecurity firms like TeamT5 and Mandiant, and monitor advisories from U.S. Cybersecurity and Infrastructure Security Agency (CISA) or similar bodies. As of Friday, a total of three attempts have been identified globally, and the company continues to investigate and will provide updates when additional information is learned. Check Point Software Technologies has notified government cybersecurity authorities about the incidents but declined to provide specifics about the locations of the affected customers.
- The ongoing VPN-targeting attacks against Check Point Software Technologies' customers, which have been tied to state-sponsored actors like China and North Korea, also extend to other technology companies in the data-and-cloud-computing industry, such as Cisco and Ivanti.
- In response to the attacks, incident response teams are urging general-news outlets to emphasize the importance of cybersecurity best practices, including the application of vendor patches, strong authentication, restricted remote access, advanced threat detection, and preparation for social engineering attempts.
- As the investigation into the VPN-targeting attacks on Check Point Software Technologies customers progresses, crime-and-justice reports suggest that these attacks could potentially set new standards for cybercrime and underscore the urgent need for improved cybersecurity measures among technology companies worldwide.
