Back

Critical Zero-Day Exploited in Check Point VPNs by Qilin Ransomware Gang

Severity: High (Score: 79.5)

Sources: support.checkpoint.com, www.checkpoint.com, Bleepingcomputer, M.Investing, M.Za.Investing

Published: 2026-06-08 · Updated: 2026-06-08

Keywords: check, point, access, successful, exploitation, cve-2026-50751, allow

Severity indicators: CVE:CVE-2026-50751

Summary

Check Point disclosed a critical zero-day vulnerability (CVE-2026-50751) in its Remote Access VPN and Mobile Access products, exploited by a Qilin ransomware affiliate since May 7, 2026. The flaw allows unauthenticated attackers to bypass password authentication entirely due to a logic error in certificate validation, affecting deployments using the deprecated IKEv1 key exchange protocol. The vulnerability has a CVSS score of 9.3 and has been actively exploited against a limited number of organizations globally. A second related vulnerability (CVE-2026-50752) was also identified, affecting site-to-site VPN connections but has not yet been reported as exploited in the wild. Check Point has released patches and mitigation strategies, urging affected organizations to update their systems immediately. The exploitation of this vulnerability highlights a growing trend of zero-day attacks targeting VPN appliances and network edge devices. Key Points: • CVE-2026-50751 allows attackers to bypass authentication on Check Point VPNs. • Exploitation linked to Qilin ransomware gang, affecting dozens of organizations. • Patches and mitigation measures have been released; immediate action is advised.

Detailed Analysis

**Impact** A few dozen organizations globally across multiple sectors, including automotive, publishing, pathology services, and government agencies, have been targeted since early May 2026. Victims include high-profile companies such as Nissan, Yangfeng, Asahi, Lee Enterprises, Synnovis, and Australia's Court Services Victoria. The vulnerability affects both large enterprises and SMBs using Check Point Remote Access VPN, Mobile Access, and Spark Firewall products configured with the deprecated IKEv1 protocol. Exploitation enables unauthorized VPN access, potentially leading to ransomware deployment and data compromise. **Technical Details** The exploited vulnerability, CVE-2026-50751 (CVSS 9.3), is an authentication bypass in Check Point VPNs using IKEv1, allowing unauthenticated attackers to establish VPN sessions by exploiting a logic flaw in certificate validation. A second related vulnerability, CVE-2026-50752 (CVSS 7.4), enables man-in-the-middle attacks on site-to-site VPN connections but has no confirmed exploitation. The Qilin ransomware affiliate is confirmed to have leveraged CVE-2026-50751 for initial access, using attacker infrastructure with virtual private servers geolocated near targets and communicating via the Tox protocol. Indicators of compromise include attacker IP addresses and suspicious certificate subject names observed between May 7 and June 5, 2026. **Recommended Response** Apply the Check Point hotfixes addressing CVE-2026-50751 and CVE-2026-50752 immediately, especially for systems using IKEv1. If patching is not immediately possible, disable legacy remote access clients, enforce IKEv2-only authentication, mandate machine certificate authentication, and enable IPS with updated signatures. Conduct compromise assessments using provided IOCs and monitor VPN authentication logs for anomalous certificate validation attempts. Organizations should upgrade from end-of-support versions to supported releases to ensure ongoing protection.

Source articles (15)

  • Qilin ransomware affiliate exploited Check Point VPN zero-day (CVE-2026-50751) — Feeds2.Feedburner · 2026-06-08
    A Qilin ransomware affiliate is believed to be exploiting CVE-2026-50751, an authentication bypass vulnerability in Check Point VPN Remote Access and Mobile Access, the company announced on Monday. CV…
  • CC-4792 — Digital.Nhs.Uk · 2026-06-08
    Successful exploitation of CVE-2026-50751 could allow an attacker to establish a VPN session without a valid password Successful exploitation of CVE-2026-50751 could allow an attacker to establish a V…
  • Check Point Quantum Security Gateway / Maestro Orchestrator / Security Group R80.40 (End-of-Support) R81 (End-of-Support) R81.10 (End-of-Support) R81.20 Jumbo Hotfix Take 141 or below R82 Jumbo Hotfix Take 103 or below R82.10 Jumbo Hotfix Take 19 or below — www.checkpoint.com · 2026-06-08
    Protect your network against sophisticated cyber attacks with AI-powered threat prevention, real-time global threat intelligence, unified policy management, and hyper scale networking. Get a demo AI D…
  • Check Point Spark Firewall R80.20.X (End-of-Support) R81.10.X R82.00.X — www.checkpoint.com · 2026-06-08
    Check Point Spark Firewall tackles challenges faced by SMBs with a comprehensive, user-friendly cybersecurity solution, ideal for both SMBs and MSPs, ensuring top performance and robust protection. Re…
  • Check Point links VPN zero — Bleepingcomputer · 2026-06-08
    Israeli cybersecurity company Check Point has released security updates to patch a critical flaw affecting Remote Access VPN and Mobile Access deployments, which was exploited in zero-day attacks. Tra…
  • Check Point links VPN zero-day attacks to Qilin ransomware gang — Bleepingcomputer · 2026-06-08
    Israeli cybersecurity company Check Point has released security updates to patch a critical flaw affecting Remote Access VPN and Mobile Access deployments, which was exploited in zero-day attacks. Tra…
  • Why is Check Point Software stock sliding today? — M.Investing · 2026-06-08
    Investing.com -- Check Point Software Technologies Ltd. stock fell 2.5% in morning trading after the company publicly disclosed an actively exploited critical security flaw in its flagship VPN product…
  • Why is Check Point Software stock sliding today? By Investing.com — M.Za.Investing · 2026-06-08
    Investing.com -- Check Point Software Technologies Ltd. stock fell 2.5% in morning trading after the company publicly disclosed an actively exploited critical security flaw in its flagship VPN product…
  • Ransomware crims got a month-long head start on Check Point VPN 0 — Theregister · 2026-06-08
    Check Point released an emergency fix on Monday for a critical authentication bypass vulnerability affecting its Remote Access VPN and Mobile Access deployments - but attackers, including ransomware c…
  • Check Point VPN 0 — Cybersecuritynews · 2026-06-08
    Check Point Research has uncovered active exploitation of CVE-2026-50751, a critical authentication bypass vulnerability (CVSS 9.3) in Check Point Remote Access VPN and Mobile Access deployments, with…
  • Draft Ietf Ipsecme Ikev1 Algo To Historic 07 — www.ietf.org · 2026-06-08
    A few notably IKEv1 features are not present in the IKEv2 core specification [ RFC7296 ] but are available for IKEv2 via an additional specification: ¶ IKEv1 and its way of using Preshared Keys (PSKs)…
  • A Qilin ransomware affiliate exploited a Check Point VPN zero — Thenextweb · 2026-06-08
    Check Point patched a critical VPN zero-day (CVE-2026-50751) exploited since May 7 by a Qilin ransomware affiliate targeting dozens of organisations. Check Point has disclosed and patched a critical z…
  • CVE-2026-50751 — support.checkpoint.com · 2026-06-08
  • Check Point Releases Important Hotfix For Vulnerabilities In Deprecated Ikev1 Vpn Protocol — blog.checkpoint.com · 2026-06-08
  • CVE-2026-50752 — support.checkpoint.com · 2026-06-08

Timeline

  • 2026-05-07 — Exploitation of CVE-2026-50751 begins: Qilin ransomware affiliates start exploiting the critical VPN vulnerability, targeting several dozen organizations.
  • 2026-06-04 — Suspicious activity detected: Check Point identifies suspicious activity related to the zero-day vulnerability, prompting an investigation.
  • 2026-06-08 — CVE-2026-50751 published: Check Point publicly discloses the critical authentication bypass vulnerability and its exploitation.
  • 2026-06-08 — Patches released: Check Point releases security updates to address CVE-2026-50751 and CVE-2026-50752, urging immediate application.
  • 2026-06-08 — CVE-2026-50751 added to CISA KEV: CISA includes CVE-2026-50751 in its Known Exploited Vulnerabilities catalog due to active exploitation.
  • 2026-06-08 — CVE-2026-50752 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.

CVEs

  • CVE-2026-50571
  • CVE-2026-50751
  • CVE-2026-50752

Related entities

  • DDoS (Attack Type)
  • Man-in-the-Middle (Attack Type)
  • Ransomware (Attack Type)
  • Zero-day Exploit (Attack Type)
  • Agenda (Ransomware Group)
  • Asahi (Ransomware Group)
  • Synnovis (Ransomware Group)
  • Qilin (Ransomware Group)
  • Qilin Ransomware (Ransomware Group)
  • Qilin Ransomware gang (Ransomware Group)
  • Check Point (Company)
  • Court Services Victoria (Company)
  • F5 (Company)
  • Fortinet (Company)
  • Lee Enterprises (Company)
  • Nissan (Company)
  • Palo Alto Networks (Company)
  • Yangfeng (Company)
  • Nutanix (Company)
  • Australia (Country)
  • England (Country)
  • CWE-287 - Improper Authentication (Cwe)
  • Cwe-295 - Improper Certificate Validation (Cwe)
  • investing.com (Domain)
  • T1021 - Remote Services (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1133 - External Remote Services (Mitre Attack)
  • T1190 - Exploit Public-Facing Application (Mitre Attack)
  • T1557 - Adversary-in-the-Middle (Mitre Attack)
  • Check Point Mobile Access (Platform)
  • Check Point Remote Access VPN (Platform)
  • Check Point SmartConsole (Platform)
  • Check Point VPN Remote Access (Platform)
  • ESXi (Platform)
  • Linux (Platform)
  • Maestro Orchestrator (Platform)
  • Mobile Access (Platform)
  • Remote Access VPN (Platform)
  • Security Gateway (Platform)
  • Security Group (Platform)
  • Spark Firewall (Platform)
  • Spark Firewalls (Platform)
  • Sliver (Malware)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed