Check Point VPN Authentication Bypass Under Active Exploitation by Qilin Ransomware Affiliate

A critical authentication bypass vulnerability in Check Point Security Gateway is being actively exploited in the wild by a financially motivated threat actor deploying Qilin ransomware. CVE-2026-50751 carries a CVSS score of 9.3 and affects Remote Access VPN and Mobile Access deployments using the deprecated IKEv1 key exchange protocol. CISA added it to the Known Exploited Vulnerabilities catalog on June 8 with a remediation deadline of June 11, which has already passed.

Check Point Research confirmed the vulnerability allows an unauthenticated attacker to bypass user authentication by exploiting a logic flaw in certificate validation, establishing a VPN session without a valid password. Active exploitation has been observed targeting a few dozen organisations globally, with exploitation attempts beginning as early as May 7 and escalating significantly through early June.

One confirmed case involves post-compromise activity attributed to a Qilin ransomware affiliate. Check Point assesses with medium confidence that the actor is financially motivated and has also been observed exploiting other VPN-related vulnerabilities from Palo Alto, Fortinet, and F5. The actor uses dedicated VPS infrastructure from Kaupo Cloud HK, Shock Hosting, and Vultr Holdings, with some correlation between victim geography and attacker infrastructure geolocation. Communication uses the Tox protocol, a pattern commonly associated with financially motivated ransomware operations.

A related vulnerability, CVE-2026-50752 (CVSS 7.4), was discovered during the investigation. It affects certificate validation in IKEv1 for site-to-site VPN connections, potentially enabling man-in-the-middle attacks under specific conditions. No exploitation of CVE-2026-50752 has been observed in the wild.

Affected products include Check Point Mobile Access, SSL VPN, Remote Access VPN, and Spark Firewall running versions R81.10 through R82.10, plus several end-of-life versions (R80.20 through R81.10.X). Hotfixes are available via sk185033 and sk185035.

If your organisation runs Check Point Security Gateways with IKEv1 enabled for remote access or site-to-site VPNs, treat this as an immediate priority. Apply the hotfixes now. If patching is delayed, disable IKEv1 and migrate to IKEv2 immediately — IKEv1 has been formally marked for historic deprecation by the IETF. Audit logs from May 7 onward for suspicious VPN session establishment, particularly connections that bypassed normal authentication flows. Check for the published indicators of compromise, which include IPs from Kaupo Cloud HK, Shock Hosting, and Vultr, plus two known malicious file hashes. If Qilin ransomware or any unauthorized VPN session activity is detected, assume full environment compromise and initiate incident response accordingly.

In parallel, note that CISA also added CVE-2026-48907 (Joomla Content Editor unauthenticated remote code execution, CVSS v4 10.0) to KEV on June 16 with a three-day remediation deadline of June 19, and CVE-2026-10520 (Ivanti Sentry unauthenticated root-level RCE) on June 11 with a deadline of June 14. Both warrant immediate patching attention if these products are in your environment.