Back

Critical Check Point VPN Vulnerability Exploited by Qilin Ransomware Gang

Severity: High (Score: 72.9)

Sources: Feeds2.Feedburner, support.checkpoint.com, blog.checkpoint.com, www.checkpoint.com, Digital.Nhs.Uk

Published: 2026-06-08 · Updated: 2026-06-08

Keywords: check, point, access, successful, exploitation, cve-2026-50751, allow

Severity indicators: CVE:CVE-2026-50751

Summary

Check Point has reported active exploitation of CVE-2026-50751, a critical authentication bypass vulnerability affecting Remote Access VPN and Mobile Access deployments. This flaw allows unauthenticated attackers to establish VPN sessions without valid passwords, specifically in systems using the deprecated IKEv1 key exchange protocol. The Qilin ransomware group has been linked to these attacks, which began on May 7, 2026, and have impacted a limited number of organizations worldwide. A second vulnerability, CVE-2026-50752, was also discovered but has not yet been exploited. Organizations are advised to apply security updates immediately to mitigate risks. The NHS has issued alerts regarding this vulnerability, emphasizing the need for prompt action to protect affected systems. Key Points: • CVE-2026-50751 allows VPN authentication bypass, impacting Check Point products. • Exploitation linked to the Qilin ransomware group, with attacks starting on May 7, 2026. • Organizations using IKEv1 are urged to apply patches and follow remediation steps immediately.

Detailed Analysis

**Impact** The vulnerability affects organizations using Check Point Remote Access VPN, Mobile Access, Security Gateway, Maestro Orchestrator, and Spark Firewall products configured with the deprecated IKEv1 key exchange protocol. Exploitation has impacted a few dozen organizations globally, including sectors such as automotive, publishing, pathology services, and government entities across multiple geographies. The Qilin ransomware gang has leveraged this vulnerability to gain unauthorized VPN access, facilitating ransomware deployment and potential data compromise. Critical business operations relying on remote access VPNs are at risk of disruption and data exfiltration. **Technical Details** CVE-2026-50751 is a critical authentication bypass vulnerability exploiting a logic flaw in certificate validation within the deprecated IKEv1 key exchange protocol on Check Point VPN products. Attackers can establish VPN sessions without valid passwords, bypassing authentication remotely and unauthenticated. A second related vulnerability, CVE-2026-50752, affects certificate validation in site-to-site VPNs and may enable man-in-the-middle attacks but has no confirmed exploitation. The Qilin ransomware-as-a-service group has actively exploited CVE-2026-50751 since early May 2026. Indicators of compromise and signatures are available via Check Point SmartConsole and network logs. **Recommended Response** Apply the latest hotfixes from Check Point immediately to update affected products beyond the vulnerable versions, especially for those using IKEv1. If patching is not immediately possible, disable IKEv1 support, enforce IKEv2-only authentication, mandate machine certificate authentication, and enable IPS with updated signatures. Conduct compromise assessments using provided IOCs and monitor VPN logs for unauthorized access attempts. Organizations running end-of-support versions must upgrade to supported releases to ensure continued protection.

Source articles (7)

  • Qilin ransomware affiliate exploited Check Point VPN zero-day (CVE-2026-50751) — Feeds2.Feedburner · 2026-06-08
    A Qilin ransomware affiliate is believed to be exploiting CVE-2026-50751, an authentication bypass vulnerability in Check Point VPN Remote Access and Mobile Access, the company announced on Monday. CV…
  • CC-4792 — Digital.Nhs.Uk · 2026-06-08
    Successful exploitation of CVE-2026-50751 could allow an attacker to establish a VPN session without a valid password Successful exploitation of CVE-2026-50751 could allow an attacker to establish a V…
  • Check Point Quantum Security Gateway / Maestro Orchestrator / Security Group R80.40 (End-of-Support) R81 (End-of-Support) R81.10 (End-of-Support) R81.20 Jumbo Hotfix Take 141 or below R82 Jumbo Hotfix Take 103 or below R82.10 Jumbo Hotfix Take 19 or below — www.checkpoint.com · 2026-06-08
    Protect your network against sophisticated cyber attacks with AI-powered threat prevention, real-time global threat intelligence, unified policy management, and hyper scale networking. Get a demo AI D…
  • Check Point Spark Firewall R80.20.X (End-of-Support) R81.10.X R82.00.X — www.checkpoint.com · 2026-06-08
    Check Point Spark Firewall tackles challenges faced by SMBs with a comprehensive, user-friendly cybersecurity solution, ideal for both SMBs and MSPs, ensuring top performance and robust protection. Re…
  • Check Point links VPN zero — Bleepingcomputer · 2026-06-08
    Israeli cybersecurity company Check Point has released security updates to patch a critical flaw affecting Remote Access VPN and Mobile Access deployments, which was exploited in zero-day attacks. Tra…
  • CVE-2026-50751 — support.checkpoint.com · 2026-06-08
  • Check Point Releases Important Hotfix For Vulnerabilities In Deprecated Ikev1 Vpn Protocol — blog.checkpoint.com · 2026-06-08

Timeline

  • 2026-05-07 — Exploitation of CVE-2026-50751 begins: Attacks exploiting the authentication bypass vulnerability started, targeting Check Point VPNs configured with IKEv1.
  • 2026-06-08 — CVE-2026-50751 and CVE-2026-50752 published: Check Point disclosed two critical vulnerabilities affecting Remote Access VPN and Mobile Access, urging immediate patching.
  • 2026-06-08 — Check Point issues security advisory: The company released guidance for organizations to mitigate risks associated with the VPN vulnerabilities.

CVEs

  • CVE-2026-50571
  • CVE-2026-50751
  • CVE-2026-50752

Related entities

  • DDoS (Attack Type)
  • Man-in-the-Middle (Attack Type)
  • Ransomware (Attack Type)
  • Zero-day Exploit (Attack Type)
  • Agenda (Ransomware Group)
  • Asahi (Ransomware Group)
  • Synnovis (Ransomware Group)
  • Qilin (Ransomware Group)
  • Check Point (Company)
  • Court Services Victoria (Company)
  • Lee Enterprises (Company)
  • Nissan (Company)
  • Yangfeng (Company)
  • Australia (Country)
  • England (Country)
  • CWE-287 - Improper Authentication (Cwe)
  • Cwe-295 - Improper Certificate Validation (Cwe)
  • T1557 - Adversary-in-the-Middle (Mitre Attack)
  • Check Point Mobile Access (Platform)
  • Check Point Remote Access VPN (Platform)
  • Check Point VPN Remote Access (Platform)
  • Maestro Orchestrator (Platform)
  • Mobile Access (Platform)
  • Remote Access VPN (Platform)
  • Security Gateway (Platform)
  • Security Group (Platform)
  • Spark Firewall (Platform)
  • Spark Firewalls (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed