Check Point VPN-1/FireWall-1 contains a flaw that may allow a remote attacker to send traffic that bypasses the ruleset. The issue is due to a flaw in the FWZ client processing that may allow spoofed packets through despite anti-spoofing checks being present. If an attacker sends specially crafted packets encapsulated as FWZ packets, the firewall may let them pass.
Upgrade to version 4.0 SP7, 4.1 SP2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.