Chinese cybercriminals have exploited a vulnerability in virtual private network (VPN) security gateways to infiltrate manufacturing companies across the globe. The attackers, believed to be linked to the advanced persistent threat (APT) group APT41 (also known as Winnti), used this security flaw to gain access to sensitive intellectual property (IP) from various organizations.
At the CPX 2025 cybersecurity conference, Check Point researchers revealed details of the months-long cyber espionage campaign. They confirmed that dozens of operational technology (OT) organizations had been compromised through a vulnerability in Check Point’s security gateways. However, since Check Point has only tracked incidents involving its own customers, experts warn that many more organizations may have been affected.
Chinese Hackers Exploit Security Gateway Vulnerability
The cyberattacks began shortly after the vulnerability, known as CVE-2024-24919, was disclosed and patched in May 2024. The attacks peaked in November and continued until early 2025. This flaw, found in Check Point security gateways exposed to the open internet and configured for remote access, allowed attackers to bypass authentication and gain unauthorized access to sensitive files.
The vulnerability stemmed from a minor oversight in file path validation within the security appliances. Attackers could send specially crafted requests to retrieve password hashes, which, once decrypted, granted them superuser privileges and full control over the affected devices. Due to the severity of this risk, CVE-2024-24919 received a “high” rating of 8.6 out of 10 in the Common Vulnerability Scoring System (CVSS).
After exploiting this flaw, the hackers moved laterally across compromised networks, gaining access to more systems, including domain controllers. Eventually, they installed the ShadowPad backdoor, a modular remote access tool believed to be used for stealing valuable IP.
Despite the widespread infiltration, Check Point researchers found no evidence that the attackers disrupted operations. The researchers distinguish this attack from another campaign reported by Orange Cyberdefense on February 18, where a group known as “Green Nailao” used the same vulnerability to infect European organizations with ShadowPad, PlugX, and an undocumented malware called “NailoLocker.”
Global Impact: Manufacturing and Critical Industries Targeted
Check Point identified between 24 and 36 victim organizations worldwide, with a significant concentration in the United States and Latin America. Notably, around 20% of the attacks targeted businesses in Mexico. Other affected regions include Europe, the Middle East, and Africa.
The hackers focused on high-value OT industries, particularly supply chain manufacturers serving the aviation and aerospace sectors. Nearly half of the affected organizations were manufacturers. However, some victims were from unrelated sectors, such as small utilities and financial firms in Africa.
Lotem Finkelsteen, Check Point’s Director of Threat Intelligence, pointed out that attackers do not always operate with surgical precision. “We tend to believe attackers have a flawless strategy, but sometimes collateral targets get caught up in the process,” he said. Once access is gained, cybercriminals may retain control for future use.
Eli Smadja, Research Group Manager at Check Point, added that even seemingly insignificant companies could serve as entry points to larger organizations. “A finance company might not seem like a high-priority target, but attackers can leverage it to reach their real objective,” he explained.
Small Businesses and Manufacturers at Risk
One of the key takeaways from the attack is the vulnerability of small manufacturing firms. Many assume manufacturers are large enterprises, but in reality, many operate as small businesses with limited cybersecurity defenses.
“We’ve seen this pattern in previous Chinese cyber operations,” Finkelsteen noted. “Many targets are small businesses that attackers find easier to exploit.”
Small OT organizations are attractive targets because they often lack dedicated cybersecurity personnel. “It’s usually just one IT person, handling security, IT, and everything else,” explained Sergey Shykevich, Threat Intelligence Group Manager at Check Point. In some cases, when researchers contact affected organizations, the business owner is the only available point of contact.
Due to limited resources, these businesses often fail to apply security patches promptly. “They might not even be aware of the necessary security measures,” Finkelsteen warned. “That makes them an easy target for attackers.”
The Growing Threat to Global Cybersecurity
This latest espionage campaign highlights the increasing cyber risks facing industrial and operational technology sectors. As attackers continue to exploit vulnerabilities in security gateways, organizations must prioritize patching, employee cybersecurity awareness, and implementing stronger network defenses.
Cybersecurity experts recommend that businesses, regardless of size, apply security patches as soon as they are released, limit remote access configurations, and conduct regular security audits. The attacks on small and medium-sized manufacturers demonstrate the need for stronger cybersecurity policies across industries.
With cyber threats evolving rapidly, experts urge companies to remain vigilant and proactive in safeguarding their sensitive information from state-backed cybercriminals.
