Open Nav
Sign Up

Critical Check Point VPN Zero-Day Exploited in Attacks Linked to Qilin Ransomware (CVE-2026-50751)

cve-2026-50751

Filip Dimitrov

June 8, 2026

Check Point has released emergency security updates for a critical authentication bypass vulnerability affecting specific Remote Access VPN and Mobile Access deployments.

Tracked as CVE-2026-50751, the vulnerability allows an unauthenticated remote attacker to bypass user authentication and establish a VPN session without a valid user password. Active exploitation has been confirmed in the wild, with at least one post-compromise incident linked to a Qilin ransomware affiliate.

The vulnerability affects deployments configured to use the deprecated IKEv1 key exchange protocol, particularly environments that allow legacy Remote Access clients and do not require machine certificate authentication.

Organizations using Check Point VPN infrastructure should urgently review their exposure, apply the relevant hotfixes, and investigate VPN activity dating back to at least May 7, 2026, the earliest observed exploitation date reported by Check Point.

Read the full Check Point advisory on the matter here.

Vulnerability Details

CVE-2026-50751 is an authentication bypass vulnerability in Check Point VPN Remote Access and Mobile Access deployments using deprecated IKEv1 key exchange.

The flaw is related to certificate validation logic. If exploited successfully, an attacker can establish a remote access VPN connection without possessing valid user credentials. While additional post-authentication activity would still be required to access internal resources or escalate privileges, the ability to establish an unauthorized VPN session creates a serious initial access risk.

This is especially concerning because VPN appliances are high-value targets for ransomware groups and other threat actors. Once attackers gain VPN access, they may attempt lateral movement, credential theft, internal reconnaissance, and deployment of ransomware or other payloads.

Exploitation Activity

Check Point has confirmed active exploitation of CVE-2026-50751 in the wild. According to the vendor, attacks began on May 7, 2026 and increased in early June.

Observed exploitation has reportedly affected a limited number of targeted organizations globally, but one confirmed case involved post-compromise activity associated with a Qilin ransomware affiliate.

Qilin is a ransomware-as-a-service operation that has been active since 2022 and has targeted organizations across multiple industries. The group has previously been associated with high-impact ransomware incidents, making this vulnerability particularly important for organizations running exposed VPN infrastructure.

Related Vulnerability: CVE-2026-50752

During its investigation, Check Point also identified a second vulnerability, tracked as CVE-2026-50752.

This issue affects certificate validation in deprecated IKEv1 key exchange and may allow man-in-the-middle interference with site-to-site VPN communications under specific conditions. Check Point has not observed exploitation of CVE-2026-50752 in the wild, but organizations should apply the available updates to reduce potential exposure.

Affected Configurations

The highest-risk configurations include Check Point deployments that:

  • Use deprecated IKEv1 key exchange for Remote Access VPN or Mobile Access
  • Accept legacy Remote Access clients
  • Do not require machine certificate authentication
  • Expose VPN services to the internet
  • Have not applied the latest Check Point security updates or hotfixes

Affected versions include multiple Check Point Security Gateway and Spark Firewall versions across R80.20.X, R80.40, R81, R81.10, R81.20, R82, R82.00.X, and R82.10 branches, depending on product and configuration.

Recommended Actions

Organizations using Check Point Remote Access VPN, Mobile Access, or Spark Firewall should take the following steps immediately:

  1. Apply Check Point’s released hotfixes for CVE-2026-50751 and CVE-2026-50752.
  2. Disable deprecated IKEv1 where possible and configure Remote Access VPN authentication to use IKEv2 only.
  3. Remove support for legacy Remote Access clients if they are no longer required.
  4. Require machine certificate authentication for Remote Access VPN connections.
  5. Enable Check Point IPS protections and download the latest IPS signatures.
  6. Review VPN logs from May 7, 2026 onward for suspicious authentication activity, unusual VPN sessions, unexpected source IPs, and access attempts from unfamiliar geographies.
  7. Investigate post-authentication activity from suspicious VPN sessions, including lateral movement, privilege escalation attempts, internal scanning, unusual file access, and ransomware staging behavior.
  8. Monitor for known indicators of compromise, but do not rely only on IOCs, as attacker infrastructure can change quickly.

Known Indicators

Check Point has shared the following attacker infrastructure indicators associated with observed activity:

IP addresses:

  • 45.77.149[.]152
  • 209.182.225[.]136
  • 38.60.157[.]139
  • 162.33.177[.]101
  • 45.76.26[.]42
  • 144.208.127[.]155
  • 38.54.88[.]201
  • 38.54.107[.]167
  • 66.42.99[.]200

Hashes:

  • 52fda5c1b9704544f32ee98d9060e689
  • 51d39aa39478beeac94f2d12f682ecce


Stay Safe. Stay Secure

OP Innovate Research Team

Under Cyber Attack?

Fill out the form and we will contact you immediately.