Check Point Research has identified active exploitation of CVE-2026-50751, a critical authentication bypass vulnerability affecting Check Point Remote Access VPN and Mobile Access deployments configured to use the deprecated IKEv1 key exchange protocol.
By exploiting a logic flaw in certificate validation, an attacker can establish a VPN session without possession of a valid password, effectively bypassing authentication requirements.
Additional post-authentication activity is required to access internal resources or escalate privileges.
To date, the observed exploitation has been limited to a few dozen targeted organizations globally. One case involved confirmed post-compromise activity associated with Qilin ransomware affiliate.
Customers using IKEv1 key exchange protocol are strongly encouraged to apply the available security updates immediately.
CVE Details
CVE-2026-50751 is an authentication bypass on VPN Remote Access and Mobile Access in deprecated IKEv1 key exchange. An attacker can bypass user authentication by exploiting a logic flow weakness in the Remote Access and Mobile Access certificate validation and establish a remote access VPN connection without a valid user password. Check Point has observed active exploitation of this vulnerability in the wild.
Enhancing Security with BLAST (Check Point’s Agentic AI Code Security Platform)
As part of the CVE-2026-50751 investigation, Check Point Research conducted an extended review of the affected VPN components using BLAST, our agentic application security platform. This process identified and enabled the remediation of an additional vulnerability, CVE-2026-50752.
CVE-2026-50752 impacts certificate validation in deprecated IKEv1 key exchange and may allow man-in-the-middle interference with site-to-site VPN communications under specific conditions.
Check Point has not observed exploitation of this vulnerability in the wild; customers are advised to apply updates to mitigate potential exposure.
The identification of CVE-2026-50752 underscores the importance of combining threat intelligence, security research, and AI-assisted code analysis to proactively detect and remediate vulnerabilities before they can be weaponized.
| CVE | Description | CVSS | Affected Products | Affected Versions | In the wild | SK |
|---|---|---|---|---|---|---|
| CVE-2026-50751 | User authentication bypass on VPN Remote Access and Mobile Access in deprecated IKEv1 key exchange. |
9.3 | Mobile Access / SSL VPN, Remote Access VPN, Spark Firewall | R80.20.X (EOS), R80.40 (EOS), R81 (EOS), R81.10 (EOS), R81.10.X, R81.20, R82, R82.00.X, R82.10 |
YES | sk185033 |
| CVE-2026-50752 | A condition in the certificate validation logic of the deprecated IKEv1 key exchange can allow a man-in-the-middle attack on VPN site-to-site connections. |
7.4 | Security Gateways, Spark Firewall | R80.20.X (EOS), R80.40 (EOS), R81 (EOS), R81.10 (EOS), R81.10.X, R81.20, R82, R82.00.X, R82.10 |
NO | sk185035 |
Attack Timeline
On June 4, 2026, following indications of suspicious activity, Check Point Research launched an investigation that revealed the following attack timeline.
Incident response teams should prioritize forensic log audits and configuration reviews starting from the earliest observed exploitation date of May 7, 2026.
Based upon our observations, exploitation attempts of CVE-2026-50751 increased in early June
Actor profile
Based on the post-exploitation activity we observed, we assess with medium confidence that the actor behind the exploitation of CVE-2026-50752 is financially motivated, uses Qilin ransomware. We believe that this threat actor infrastructure is exploiting other VPN related vulnerabilities such as the ones published by Palo Alto, Fortinet and F5.
We identified indicators suggesting the actor may use the Tox protocol for communication, a pattern commonly associated with financially motivated ransomware actors.
The actor used a dedicated virtual private server (VPS) infrastructure to conduct the attacks. Observed infrastructure includes IPs hosted by Kaupo Cloud HK, Shock Hosting, and Vultr Holdings. In some cases, we observed a correlation between the victim organization’s geography and the geolocation of the VPS used in the attack. For example, activity targeting organizations in Taiwan involved attacker infrastructure geolocated to Taiwan.
Following successful access to targeted organizations, we observed an attributional overlap between Qilin Linux ransomware binaries and attempts to download malicious ELF files from actor-controlled infrastructure.
IOCs
45.77.149[.]152
209.182.225[.]136
38.60.157[.]139
162.33.177[.]101
45.76.26[.]42
144.208.127[.]155
38.54.88[.]201
38.54.107[.]167
66.42.99[.]200
52fda5c1b9704544f32ee98d9060e689
51d39aa39478beeac94f2d12f682ecce
Mitigation
Update all affected Security Gateways to the released hotfix.
Full details & remediation steps:
Please refer to the below advisory, including affected configurations, alternative mitigation steps (via remote-access configuration settings), indicators of compromise, and exact upgrade guidance.
https://support.checkpoint.com/results/sk/sk185033
https://support.checkpoint.com/results/sk/sk185035
Need support?
If you need help assessing your exposure, applying a mitigation, or installing the hotfix, please contact Check Point Support at:
https://www.checkpoint.com/support-services/contact-support/
Leave A Comment