Iran-based cyber actors have been actively scanning internet-facing Check Point Security Gateway deployments since July 2024, according to a CISA advisory published in August 2024. They are probing IP address ranges to find devices that might be vulnerable to attack. This kind of reconnaissance typically comes before an actual breach attempt.

What Happened

The attackers used systematic scanning — essentially automated probing of large blocks of internet addresses — to find Check Point Security Gateways and see which ones were exposed and potentially vulnerable. Check Point Security Gateways are the front-line security devices that most large organizations use to control traffic entering and leaving their networks. They handle VPN connections, enforce firewall rules, and serve as the main checkpoint where data crosses the network boundary.

The scanning activity was traced back to Iran-based cyber actors with suspected ties to the Iranian state. This matters because Iran has a documented history of targeting critical infrastructure, government agencies, and defense contractors across North America, Europe, and the Middle East.

Why Check Point Gateways Are Targets

Check Point Security Gateways have had publicly disclosed vulnerabilities in the past, and threat actors have shown active interest in exploiting them. The vendor publishes regular defense guidance — including advisories like cpai-2026-6406 — tracking these ongoing threats. Reconnaissance through IP scanning is the first step. Attackers identify which devices are reachable, then follow up with actual exploitation attempts targeting specific known flaws.

For defenders, the practical difference between scanning and actual exploitation is narrow. Once scanning is detected and made public, the window to patch or protect exposed gateways is already closing. Devices that are reachable on common ports — typically TCP 443, 4433, or 8443 depending on how the gateway is configured — are the main targets.

Who Is at Risk

Check Point gateways are widely deployed across enterprise and government organizations. Companies running outdated versions, those that have passed the vendor's end-of-support date, or organizations with management interfaces accidentally exposed to the public internet face the highest risk. Sectors that have historically attracted Iranian threat actors — energy, defense contracting, financial services, and government — should be especially alert, though this kind of broad scanning can hit any organization.

The scanning being reported by CISA is not precise or selective. It sweeps across large ranges of IP addresses and checks whatever Check Point gateways it finds. That means every reachable device becomes a potential target, regardless of industry or organization. This indiscriminate quality is exactly why the advisory matters to such a broad audience.

What Organizations Should Do

The first priority for any company running Check Point Security Gateways is to limit their exposure. Management interfaces — the administrative ports used to configure the device — should not be accessible from the public internet. If remote administration is necessary, access should be restricted to known IP addresses or routed through a separate secure access layer (a pattern called zero-trust networking). VPN portals have to be public by design, so the focus there shifts to keeping the software patched and current.

Security teams can detect scanning activity by watching network logs for unusual patterns: sudden bursts of connection attempts from unfamiliar IP addresses, especially on non-standard ports, often signal active reconnaissance. Threat intelligence feeds — including those published by CISA — can flag known Iranian actor infrastructure and feed that signal into automated security monitoring tools.

For organizations running Check Point in a redundant or high-availability setup, both devices are equally exposed and must be treated that way. Updating both requires careful sequencing to avoid downtime, but that operational complexity should not delay patching.

One important note: CISA typically publishes alerts weeks or even months after the underlying activity begins. The fact that the July 2024 scanning was reported in August 2024 is unusually fast. However, this kind of reconnaissance campaign typically continues long after public disclosure — until the attackers either succeed, the target population patches the vulnerability, or the attacker moves on to a different approach.

The Bigger Pattern

Organized scanning campaigns are not new. In the 1990s, when the internet was becoming mainstream, attackers used automated tools to scan large blocks of IP addresses looking for vulnerable systems. The difference now is who is doing it and how focused they are. Nation-state actors do not scan randomly. They scan because they have a specific way to exploit vulnerable devices and need to find suitable targets efficiently. That kind of coordinated campaign reflects serious resources and intent that casual attackers do not have.

Check Point gateways are attractive targets precisely because they are the enforcement layer — the devices that see and control network traffic. Compromising one gives attackers visibility into data flowing through the network, the ability to intercept login credentials at VPN endpoints, and sometimes the power to change firewall rules or routing policies. A gateway is not just another computer; it is the lock on the front door.

What Comes Next

Check Point continues to publish advisories and defense guidance. Organizations should treat that information feed as a critical source and integrate it into how they manage vulnerabilities — not as a monthly checklist item but as something they respond to quickly. The broader lesson for defenders is that edge security devices — gateways, VPN concentrators, firewalls at the network boundary — have become the preferred entry point for sophisticated attackers. These devices sit at the boundary between trusted and untrusted networks, are often harder to patch than internal servers, and carry implicit trust within organizations. Closing the gap between when they become exposed and when they get patched is one of the most important security priorities in large organizations right now.