Check Point VPN Authentication Bypass Under Active Exploitation by Qilin Ransomware

A critical vulnerability in Check Point Security Gateway is being actively exploited in the wild, with confirmed post-compromise activity linked to Qilin ransomware. CISA's remediation deadline is today.

CVE-2026-50751 is a CVSS 9.3 authentication bypass in Check Point Remote Access VPN and Mobile Access deployments using the deprecated IKEv1 key exchange protocol. The flaw allows an unauthenticated remote attacker to bypass user authentication entirely by exploiting a logic weakness in certificate validation, establishing a VPN session without a valid password. Check Point Research confirmed active exploitation on June 4, 2026, with attacks dating back to at least May 7.

The threat actor, assessed with medium confidence as a Qilin ransomware affiliate, operates from VPS infrastructure hosted at Kaupo Cloud HK, Shock Hosting, and Vultr Holdings. The actor has shown a pattern of correlating VPS geolocation to victim geography. Check Point also observed the same actor exploiting VPN vulnerabilities from other vendors, including Palo Alto, Fortinet, and F5.

A second vulnerability, CVE-2026-50752 (CVSS 7.4), was discovered during the investigation. It enables man-in-the-middle attacks on site-to-site VPN connections also using IKEv1. No exploitation has been observed for this second flaw.

Affected products include Check Point Mobile Access, SSL VPN, Remote Access VPN, and Spark Firewall across versions R80.20 through R82.10. Several affected versions have reached end-of-support status.

Indicators of Compromise

Known actor infrastructure IPs: 45.77.149[.]152, 209.182.225[.]136, 38.60.157[.]139, 162.33.177[.]101, 45.76.26[.]42, 144.208.127[.]155, 38.54.88[.]201, 38.54.107[.]167, 66.42.99[.]200, 45.63.104[.]106, 45.61.136[.]173, 146.71.81[.]184. Malware hashes: 52fda5c1b9704544f32ee98d9060e689, 51d39aa39478beeac94f2d12f682ecce.

So what / Action

This is not theoretical. Ransomware operators are walking through VPNs using a protocol that should have been retired years ago. If you run Check Point gateways with IKEv1 enabled, patch now. The CISA deadline is today. If immediate patching is not possible, Check Point's advisory (sk185033) provides remote-access configuration mitigations that disable IKEv1 without requiring a hotfix. Even if you believe IKEv1 is disabled, verify. Several end-of-support versions are affected and may not receive patches. Incident response teams should audit logs back to May 7 at minimum. And if this actor is exploiting Palo Alto, Fortinet, and F5 VPN flaws as well, assume your perimeter is being tested across all vendors.