Check Point VPN Authentication Bypass — CVE-2026-50751

Check Point has confirmed active exploitation of a critical authentication bypass vulnerability in its Security Gateway products. CVE-2026-50751 carries a CVSS score of 9.3 and allows an unauthenticated remote attacker to establish a VPN session without a valid password by exploiting a logic flaw in IKEv1 certificate validation. The vulnerability affects all supported versions of Remote Access VPN, Mobile Access, and SSL VPN, as well as Spark Firewall products. CISA added it to the Known Exploited Vulnerabilities catalogue on June 8 with a three-day remediation deadline that has already passed.

Check Point Research identified the exploitation on June 4, but forensic evidence shows attacks dating back to at least May 7, with activity escalating through early June. The company has observed targeted attacks against a few dozen organisations globally. At least one confirmed case involves post-compromise activity by a Qilin ransomware affiliate, a financially motivated threat actor that Check Point assesses with medium confidence is also exploiting other VPN vulnerabilities from Palo Alto, Fortinet, and F5. The actor appears to use the Tox protocol for command and control, a pattern commonly associated with ransomware operations.

Exploitation Profile

The attack path is straightforward. An adversary exploiting this flaw does not need credentials, does not need user interaction, and does not need special privileges. They send a crafted IKEv1 negotiation that exploits weak certificate validation logic, establishing a VPN tunnel as if they were a legitimate user. From there, additional post-authentication activity is required to reach internal resources or escalate privileges, but the hardest step is already done: they are inside the VPN perimeter without a single stolen credential.

The scope is significant. IKEv1, while deprecated, remains in widespread use in legacy configurations and across environments where VPN client compatibility requirements have prevented migration to IKEv2. Any organisation running Check Point VPN gateways with IKEv1 enabled is potentially exposed.

A second vulnerability, CVE-2026-50752 (CVSS 7.4), was discovered during the investigation using Check Point's BLAST agentic code security platform. This one allows man-in-the-middle interference with site-to-site VPN connections under specific conditions. No exploitation has been observed for CVE-2026-50752, but it should be patched in the same maintenance window.

So What / Action

Patch immediately. Check Point has released hotfixes for all supported versions (R81.10.X through R82.10). If patching cannot happen today, disable IKEv1 and migrate VPN configurations to IKEv2. This is not optional: the exploitation window is open, the threat actor is active, and Qilin is a proven ransomware operator.

Audit VPN logs starting from May 7 for unusual IKEv1 connection patterns, unexpected certificate usage, and post-authentication activity from unfamiliar source IPs or Tox protocol traffic. Pay particular attention to any evidence of lateral movement from VPN entry points. If your organisation runs Check Point alongside Palo Alto, Fortinet, or F5 VPN infrastructure, consider the threat actor's cross-platform capability and assess all of those surfaces.

CISA's remediation deadline was June 11. If you have not applied the hotfix, you are in non-compliance with BOD 22-01.