Check Point VPN Auth Bypass Under Active Ransomware Exploitation

Check Point has confirmed active in-the-wild exploitation of CVE-2026-50751, a critical authentication bypass vulnerability in Remote Access VPN and Mobile Access deployments using the deprecated IKEv1 protocol. CVSS 9.3. An unauthenticated attacker can establish a VPN session without a valid password by exploiting a logic flaw in certificate validation. CISA added it to the Known Exploited Vulnerabilities catalog on June 8 with a remediation deadline that has already passed (June 11).

Check Point Research identified the actor as a financially motivated threat group deploying Qilin ransomware. Exploitation attempts began as early as May 7 and intensified in early June. The group operates from dedicated VPS infrastructure (Kaupo Cloud HK, Shock Hosting, Vultr) and appears to be targeting multiple VPN vendors simultaneously. Post-compromise activity has been confirmed in at least one case linked to Qilin ransomware deployment.

Affected versions span R80.20.x through R82.10, including multiple end-of-life releases. The fix is a hotfix available via sk185033. Organisations still running IKEv1 for VPN key exchange face immediate exposure. The mitigation for those unable to patch immediately is to disable IKEv1 and move to IKEv2.

A related vulnerability, CVE-2026-50752 (CVSS 7.4), enables man-in-the-middle interference with site-to-site VPN communications under specific conditions. No exploitation has been observed for this second flaw.

Ivanti Sentry Root RCE — CVSS 10.0

Ivanti Sentry (formerly MobileIron Sentry) contains CVE-2026-10520, a remote unauthenticated OS command injection vulnerability that grants root-level code execution. CVSS 10.0 — the maximum score. The flaw affects Ivanti Sentry versions before R10.5.2, R10.6.2, and R10.7.1. Exploitation is possible when the Sentry appliance is in an unmanaged state with endpoints externally reachable. CISA KEV-listed on June 11 with a June 14 deadline that has also passed.

WatchTowr Labs published a detection artifact generator on GitHub, indicating functional proof-of-concept code is publicly available. Organisations running Ivanti Sentry should treat this as an immediate compromise risk. The vendor advisory and patches are available on the Ivanti hub.

Oracle PeopleSoft Unauthenticated Takeover — CVSS 9.8

CVE-2026-35273 affects Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62. The vulnerability is a missing authentication flaw in the Updates Environment Management component, allowing an unauthenticated remote attacker to achieve full takeover via HTTP. CVSS 9.8. CISA KEV-listed June 12 with a June 15 deadline. The KEV entry specifically flags this vulnerability as known to be used in ransomware campaigns.

Oracle issued an out-of-cycle Security Alert on June 10, which is unusual for PeopleSoft flaws and signals the severity. The vulnerability was reported by TrendAI researchers. Organisations running PeopleSoft with internet-facing instances should treat this as a critical patching priority.

So What / Action

Three critical VPN and perimeter vulnerabilities, all actively exploited, all on CISA KEV with past-due remediation deadlines. This is the same pattern that drove compromise cascades throughout 2024 and 2025: perimeter devices as the beachhead, ransomware as the payload.

Immediate actions:

- Check Point VPN: Apply the hotfix from sk185033. If patching is delayed, disable IKEv1 and enforce IKEv2 immediately. Audit VPN logs from May 7 onward for indicators listed in the Check Point advisory. Review for Qilin ransomware IOCs — the group is targeting multiple VPN platforms.

- Ivanti Sentry: Patch to R10.5.2/R10.6.2/R10.7.1 or later. If Sentry appliances are in unmanaged state, assume compromise and conduct incident review. The CVSS 10.0 score and public PoC make unpatched systems a near-certain target.

- Oracle PeopleSoft: Apply the Security Alert patch. Internet-facing PeopleSoft instances without this patch are at extreme risk — unauthenticated takeover with known ransomware involvement warrants emergency patching, not scheduled maintenance.

All three belong in this week's emergency change window, not next quarter's.