Back

Critical Check Point VPN Vulnerability Exploited by Ransomware Gang

Severity: High (Score: 78.8)

Sources: Digital.Nhs.Uk, Scworld, Hkcert, Bleepingcomputer, www.checkpoint.com

Published: 2026-06-08 · Updated: 2026-06-09

Keywords: check, point, access, successful, exploitation, cve-2026-50751, allow

Severity indicators: CVE:CVE-2026-50751

Summary

Check Point Software Technologies disclosed a critical authentication bypass vulnerability (CVE-2026-50751) affecting its Remote Access VPN and Mobile Access products, with exploitation confirmed since May 7, 2026. The flaw allows unauthenticated attackers to establish VPN sessions without valid credentials by exploiting a logic error in certificate validation, particularly in setups using the deprecated IKEv1 key exchange protocol. The vulnerability has been linked to the Qilin ransomware group, which has targeted several dozen organizations globally. Check Point has released emergency hotfixes and urged affected customers to apply them immediately. A related vulnerability, CVE-2026-50752, was also identified but has not been confirmed as exploited in the wild. The situation poses significant operational risks for organizations still using IKEv1 configurations. CISA has added CVE-2026-50751 to its Known Exploited Vulnerabilities catalog, mandating federal agencies to patch by June 11, 2026. Key Points: • CVE-2026-50751 allows attackers to bypass VPN authentication entirely. • Exploitation linked to the Qilin ransomware group has targeted dozens of organizations. • Emergency hotfixes have been released; affected users must patch immediately.

Detailed Analysis

**Impact** The vulnerability affects Check Point Remote Access VPN, Mobile Access, and Spark Firewall products configured with the deprecated IKEv1 key exchange protocol. Exploitation has been confirmed in the wild since May 7, 2026, impacting a few dozen targeted organizations globally across multiple sectors, including automotive, publishing, and government services. At least one confirmed incident involved a Qilin ransomware affiliate conducting post-compromise activity. The vulnerability allows unauthorized VPN access, posing operational risks and potential data exposure. **Technical Details** CVE-2026-50751 is a critical authentication bypass vulnerability (CVSS 9.3) caused by a logic flaw in certificate validation within IKEv1-based VPN deployments. Attackers can establish VPN sessions without valid passwords, bypassing authentication. A second related vulnerability, CVE-2026-50752 (CVSS 7.4), enables man-in-the-middle attacks on site-to-site VPNs but has no confirmed exploitation. The Qilin ransomware group uses dedicated VPS infrastructure, often geolocated near targets, and employs the Tox protocol for communication. Indicators of compromise include attacker IP addresses and VPN certificate authentication attempts logged in Check Point SmartConsole. **Recommended Response** Apply the Check Point hotfixes addressing CVE-2026-50751 and CVE-2026-50752 immediately, prioritizing systems using IKEv1. Where patching is delayed, remove support for legacy remote access clients, enforce IKEv2-only authentication, and mandate machine certificate authentication. Monitor SmartConsole logs for suspicious VPN certificate authentication attempts and attacker IPs provided by Check Point. Enable IPS with updated signatures and conduct forensic log audits dating back to May 7, 2026.

Source articles (30)

  • Qilin ransomware affiliate exploited Check Point VPN zero-day (CVE-2026-50751) — Feeds2.Feedburner · 2026-06-08
    A Qilin ransomware affiliate is believed to be exploiting CVE-2026-50751, an authentication bypass vulnerability in Check Point VPN Remote Access and Mobile Access, the company announced on Monday. CV…
  • CC-4792 — Digital.Nhs.Uk · 2026-06-08
    Successful exploitation of CVE-2026-50751 could allow an attacker to establish a VPN session without a valid password Successful exploitation of CVE-2026-50751 could allow an attacker to establish a V…
  • Check Point Quantum Security Gateway / Maestro Orchestrator / Security Group R80.40 (End-of-Support) R81 (End-of-Support) R81.10 (End-of-Support) R81.20 Jumbo Hotfix Take 141 or below R82 Jumbo Hotfix Take 103 or below R82.10 Jumbo Hotfix Take 19 or below — www.checkpoint.com · 2026-06-08
    Protect your network against sophisticated cyber attacks with AI-powered threat prevention, real-time global threat intelligence, unified policy management, and hyper scale networking. Get a demo AI D…
  • Check Point Spark Firewall R80.20.X (End-of-Support) R81.10.X R82.00.X — www.checkpoint.com · 2026-06-08
    Check Point Spark Firewall tackles challenges faced by SMBs with a comprehensive, user-friendly cybersecurity solution, ideal for both SMBs and MSPs, ensuring top performance and robust protection. Re…
  • Check Point links VPN zero — Bleepingcomputer · 2026-06-08
    Israeli cybersecurity company Check Point has released security updates to patch a critical flaw affecting Remote Access VPN and Mobile Access deployments, which was exploited in zero-day attacks. Tra…
  • Check Point links VPN zero-day attacks to Qilin ransomware gang — Bleepingcomputer · 2026-06-08
    Israeli cybersecurity company Check Point has released security updates to patch a critical flaw affecting Remote Access VPN and Mobile Access deployments, which was exploited in zero-day attacks. Tra…
  • VPN vulnerability prompts Check Point (CHKP) to issue security hotfix — Stocktitan · 2026-06-08
    Check Point Software Technologies Ltd. reported discovering a security vulnerability affecting Remote Access VPN and Mobile Access features in certain configurations of its security gateway products.…
  • Why is Check Point Software stock sliding today? — M.Investing · 2026-06-08
    Investing.com -- Check Point Software Technologies Ltd. stock fell 2.5% in morning trading after the company publicly disclosed an actively exploited critical security flaw in its flagship VPN product…
  • Why is Check Point Software stock sliding today? By Investing.com — M.Za.Investing · 2026-06-08
    Investing.com -- Check Point Software Technologies Ltd. stock fell 2.5% in morning trading after the company publicly disclosed an actively exploited critical security flaw in its flagship VPN product…
  • Check Point slides after reporting security vulnerability affecting remote access VPN — Seekingalpha · 2026-06-08
    Check Point Software Technologies ( CHKP ) announced on Monday that it has identified a security vulnerability affecting Remote Access VPN and Mobile Access functionality in certain configurations of…
  • Ransomware crims got a month-long head start on Check Point VPN 0 — Theregister · 2026-06-08
    Check Point released an emergency fix on Monday for a critical authentication bypass vulnerability affecting its Remote Access VPN and Mobile Access deployments - but attackers, including ransomware c…
  • Check Point VPN 0 — Cybersecuritynews · 2026-06-08
    Check Point Research has uncovered active exploitation of CVE-2026-50751, a critical authentication bypass vulnerability (CVSS 9.3) in Check Point Remote Access VPN and Mobile Access deployments, with…
  • Draft Ietf Ipsecme Ikev1 Algo To Historic 07 — www.ietf.org · 2026-06-08
    A few notably IKEv1 features are not present in the IKEv2 core specification [ RFC7296 ] but are available for IKEv2 via an additional specification: ¶ IKEv1 and its way of using Preshared Keys (PSKs)…
  • A Qilin ransomware affiliate exploited a Check Point VPN zero — Thenextweb · 2026-06-08
    Check Point patched a critical VPN zero-day (CVE-2026-50751) exploited since May 7 by a Qilin ransomware affiliate targeting dozens of organisations. Check Point has disclosed and patched a critical z…
  • Check Point VPN Flaw Exploited Since Early May — Darkreading · 2026-06-08
    A newly discovered, critical zero-day vulnerability is under attack; a Qilin ransomware affiliate has been blamed for at least one incident. A threat actor is exploiting a critical vulnerability prese…
  • Check Point links VPN zero-day attacks to Qilin ransomware gang — Ground.News · 2026-06-08
    Check Point released an emergency fix on Monday for a critical authentication bypass vulnerability affecting its Remote Access VPN and Mobile Access deployments - but attackers, including ransomware c…
  • Check Point patches critical VPN flaw exploited in zero-day attacks | brief — Scworld · 2026-06-08
    Check Point has released security updates to address a critical vulnerability in its Remote Access VPN and Mobile Access deployments that was exploited in zero-day attacks. The flaw, tracked as CVE-20…
  • Check Point Products Multiple Vulnerabilities — Hkcert · 2026-06-09
    Multiple vulnerabilities were identified in Check Point Products. A remote attacker could exploit some of these vulnerabilities to trigger security restriction bypass on the targeted system. CVE-2026-…
  • CISA gives feds 3 days to patch Check Point VPN bug exploited as zero — Bleepingcomputer · 2026-06-09
    CISA has ordered U.S. government agencies to secure their Check Point Remote Access VPN and Mobile Access deployments against a critical vulnerability exploited in zero-day attacks by Qilin ransomware…
  • Check Point warns: Attackers bypass VPN authentication — Heise.De · 2026-06-09
    The security software provider Check Point is warning of attacks on a security vulnerability in the company's VPN software. It classifies the vulnerability as a critical security risk and speaks of a…
  • Check Point Warns Critical Auth Bypass Bug Exploited in the Wild — Infosecurity-Magazine · 2026-06-09
    Check Point has urged customers to patch a critical zero-day vulnerability in its Remote Access VPN and Mobile Access solutions that is being actively exploited. CVE-2026-50751 is an authentication by…
  • Critical Vulnerability in Check Point VPN — Csa.Sg · 2026-06-09
    Attackers are actively exploiting a critical vulnerability in Check Point VPN to bypass authentication and gain unauthorised remote access. Apply security updates immediately. Check Point has released…
  • Check Point warns of ransomware — Csoonline · 2026-06-09
    Check Point has issued emergency hotfixes for a pair of vulnerabilities affecting VPN deployments that still use the deprecated Internet Key Exchange version 1 (IKEv1) protocol, warning that one of th…
  • CVE-2026-50751 — support.checkpoint.com · 2026-06-08
  • Check Point Releases Important Hotfix For Vulnerabilities In Deprecated Ikev1 Vpn Protocol — blog.checkpoint.com · 2026-06-08

Timeline

  • 2024-05-28 — CVE-2024-24919 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-07 — Exploitation of CVE-2026-50751 begins: Attacks exploiting the authentication bypass vulnerability started on May 7, affecting organizations globally.
  • 2026-06-04 — Check Point activates incident response: Check Point began investigating suspicious activities related to the VPN vulnerability after detecting issues on June 4.
  • 2026-06-08 — CVE-2026-50751 disclosed: Check Point publicly disclosed the critical vulnerability and released hotfixes for affected systems.
  • 2026-06-08 — CISA adds CVE-2026-50751 to KEV catalog: CISA mandated federal agencies to secure their Check Point VPN deployments against the exploited vulnerability by June 11.
  • 2026-06-08 — CVE-2026-50752 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-06-09 — Check Point stock slides: Following the vulnerability disclosure, Check Point's stock fell 2.5%, reflecting investor concerns over the active exploitation.

CVEs

  • CVE-2024-24919
  • CVE-2026-50571
  • CVE-2026-50751
  • CVE-2026-50752

Related entities

  • Data Breach (Attack Type)
  • DDoS (Attack Type)
  • Malware (Attack Type)
  • Man-in-the-Middle (Attack Type)
  • Ransomware (Attack Type)
  • Zero-day Exploit (Attack Type)
  • Agenda (Ransomware Group)
  • Asahi (Ransomware Group)
  • Synnovis (Ransomware Group)
  • Qilin (Ransomware Group)
  • NailaoLocker (Ransomware Group)
  • Qilin Ransomware (Ransomware Group)
  • Qilin Ransomware gang (Ransomware Group)
  • Qilin Ransomware-as-a-Service (RaaS) Operation (Campaign)
  • Check Point (Company)
  • Check Point Software Technologies (Company)
  • Court Services Victoria (Company)
  • F5 (Company)
  • Fortinet (Company)
  • Lee Enterprises (Company)
  • Nissan (Company)
  • Palo Alto Networks (Company)
  • Yangfeng (Company)
  • Fortinet FortiClient EMS (Company)
  • Nutanix (Company)
  • Australia (Country)
  • England (Country)
  • Israel (Country)
  • Taiwan (Country)
  • CWE-287 - Improper Authentication (Cwe)
  • Cwe-295 - Improper Certificate Validation (Cwe)
  • ems.as (Domain)
  • german.it (Domain)
  • investing.com (Domain)
  • T1021 - Remote Services (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1133 - External Remote Services (Mitre Attack)
  • T1190 - Exploit Public-Facing Application (Mitre Attack)
  • T1557 - Adversary-in-the-Middle (Mitre Attack)
  • Check Point Mobile Access (Platform)
  • Check Point Mobile Access VPN (Platform)
  • Check Point Remote Access VPN (Platform)
  • Check Point SmartConsole (Platform)
  • Check Point VPN (Platform)
  • Check Point VPN Remote Access (Platform)
  • ESXi (Platform)
  • Gaia (Platform)
  • Linux (Platform)
  • Maestro Orchestrator (Platform)
  • Mobile Access (Platform)
  • Quantum Security Gateways (Platform)
  • Remote Access VPN (Platform)
  • Security Gateway (Platform)
  • Security Group (Platform)
  • Spark Firewall (Platform)
  • Spark Firewalls (Platform)
  • Sliver (Malware)
  • Tox (Tool)
  • TOX Protocol (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed