Red teaming
Vulnerability research
Windows

Credential Harvesting via Check Point SmartConsole CVE-2024-24915

Artur - AFINE cybersecurity team member profile photo
Karol Mazurek
Aug 4, 2025
Aug 4 2025
 •
3 min read
All blogs
Copied
Credential harvesting from Check Point SmartConsole memory dump

In “When Memory Refuses to Forget: Sensitive Data Persistence in Desktop Application“, I explored the threat of sensitive data lingering in memory, showing that software often fails to erase secrets securely after use. Today, I’ll demonstrate how credential harvesting through this vulnerability played a pivotal role in a real-world red team engagement involving CVE I found last year in Check Point’s SmartConsole (R81.20).

Enjoy!

Credential Harvesting via CVE-2024-24915: Proof of Concept

The vulnerability lies in the fact that credentials are not cleared from memory after being used. To reproduce:

  • Sign in to the application:
Check Point SmartConsole login showing credential harvesting vulnerability
  • Create a memory dump:
Process memory dump revealing harvested credentials in cleartext
  • Search for strings used for signing:
Credential harvesting search results in SmartConsole memory

Okay, but how can adversaries use that? Is this a real threat? Let’s find out!

Red Team Context

The story starts with a successful spear-phishing campaign. I used a vulnerable SmartConsole installer on a company-wide SMB share. The initial access vector utilized DLL hijacking, by planting a malicious profapi.dll alongside the installer (as detailed in my earlier post DLL Hijacking in Check Point SmartConsole installer aka CVE-2024-24916). Once a user ran the installer, it triggered a reverse shell.

After establishing a persistance, the second vulnerability I found CVE-2024-24915, comes into play.

Exploiting Plaintext Credentials: Credential Harvesting in Process Memory

Here’s where insecure memory handling in SmartConsole became a gold mine. In each shell session, I began dumping the process memory of SmartConsole to harvest user credentials. Thanks to CVE-2024-24915, these credentials are left in cleartext within the process memory.

It is an example of how the Issue from When Memory Refuses to Forget: Sensitive Data Persistence in Desktop Application is a real threat, especially in a corporate environment.

Lateral Movement Through Credential Harvesting

This is significant for Lateral Movement as harvested plaintext credentials can be immediately abused for password reuse with automated tools like netexec to spray across services such as:

  • Remote Desktop Protocol (RDP) for interactive access to user desktops or servers.
  • Server Message Block (SMB) for file sharing and remote command execution.
  • Windows Remote Management (WinRM) to execute remote PowerShell or management commands.
  • Windows Management Instrumentation (WMI) for stealthy, remote code execution.
  • LDAP queries to enumerate users, computers, and AD objects.
  • Kerberos for Pass-the-Ticket or Pass-the-Hash attacks.

The risk extends beyond on-prem environments—those same credentials often grant access to:

  • Cloud Services like Office 365, Google Workspace, Salesforce, AWS, Azure, and more.
  • HTTP/Web Applications (internal and external), VPN portals, time-tracking tools, HR platforms, Jira, Confluence, and other business-critical resources.

The combination of DLL hijacking for initial compromise and plaintext credential harvesting in memory allows a red team – or an attacker – to chain these vulnerabilities with devastating effect. It is also a good moment to mention a timeless security advisory to NEVER USE THE SAME PASSWORD TWICE.

Final Words

The persistence of credentials in userland memory can turn a single successful phish into a domain-wide compromise. Modern red team engagements demonstrate that, all too often, memory-based credential harvesting remains a critical attack vector.

Table of contents

Heading 2
Heading 3
Heading 4
Heading 5
Heading 6

Monthly Security Report

Subscribe to our Enterprise Security Report. Every month, we share what we're discovering in enterprise software, what vulnerabilities you should watch for, and the security trends we're seeing from our offensive security work.

By clicking Subscribe you're confirming that you agree with our Terms and Conditions.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Gradient glow background for call-to-action section

Related posts

Eager to see more pen-testing goodness? Check out some of our other blog posts.

Category

Content Spoofing & SSRF in F5 BIG-IP Security Assessment

Detailed technical analysis of content spoofing (CVE-2026-20732) and SSRF-style reconnaissance security exposure discovered in F5 BIG-IP version 17.1.2.2. This assessment demonstrates how authenticated attackers can exploit administrative interfaces for UI manipulation and network reconnaissance.
Marcin Wyczechowski
Feb 4, 2026
Feb 13, 2026
8
min read
Category

SAP Test Automation Using Windows API in Python

This article explores advanced techniques for automating SAP GUI interactions using Python and Windows API. It demonstrates how to manage window focus, navigate dynamic fields, and simulate keystrokes at the OS level - offering a robust alternative to SAP scripting in restricted environments. Through practical examples and a detailed analysis of script execution, readers will learn how to streamline SAP login processes, improve reliability, and integrate SAP GUI automation into broader workflows.
Michał Majchrowicz
Feb 13, 2026
Feb 13, 2026
13
min read
Category

Java RMI for pentesters part two - reconnaissance & attack against non-JMX registries

In the second part of this series, we delve into automated reconnaissance and attacks within the Java RMI framework. Leveraging the RMI interface/server introduced in Part One, we explore practical techniques for penetration testing. This installment aims to equip pentesters with essential skills for efficient RMI exploitation.
AFINE
Oct 8, 2020
Feb 12, 2026
14
min read
View all