Check Point VPN Zero-Day Exploited in Attacks Linked to Qilin Ransomware

Check Point has released emergency fixes for a critical VPN authentication bypass vulnerability that attackers have already exploited in the wild, including one confirmed post-compromise case tied to a Qilin ransomware affiliate.

The flaw is tracked as CVE-2026-50751 and affects Check Point Remote Access VPN, Mobile Access, and Spark Firewall deployments that use the deprecated IKEv1 key exchange protocol. According to Check Point, attackers can exploit a logic weakness in certificate validation to establish a remote access VPN session without a valid user password.

CISA added the bug to its Known Exploited Vulnerabilities catalog on June 8, 2026. Federal civilian agencies have until June 11, 2026 to apply vendor mitigations or stop using affected products if mitigations are not available.

What CVE-2026-50751 allows attackers to do

CVE-2026-50751 is an improper authentication vulnerability. The NVD entry says the weakness affects certificate validation in deprecated IKEv1 key exchange and allows an unauthenticated remote attacker to establish a VPN connection without a valid password.

The issue does not automatically give attackers full internal access. Check Point says additional post-authentication activity is still needed to reach internal resources or escalate privileges. Even so, bypassing VPN authentication can give attackers an important foothold at the edge of a corporate network.

The vulnerability has a CVSS 3.1 score of 9.3, placing it in the Critical severity range. That high score reflects the remote attack path, lack of required credentials, and exposure of VPN gateways to untrusted networks.

Detail	Information
CVE ID	CVE-2026-50751
Severity	Critical, CVSS 9.3
Weakness	CWE-287, Improper Authentication
Affected configuration	Deprecated IKEv1 key exchange in affected Check Point VPN deployments
Exploitation status	Exploited in the wild
CISA KEV due date	June 11, 2026

Qilin ransomware activity was observed after exploitation

Check Point said exploitation has been limited to a few dozen targeted organizations globally. One case involved confirmed post-compromise activity associated with a Qilin ransomware affiliate.

According to Help Net Security, Check Point first noticed suspicious activity on June 4, 2026, while the earliest known exploitation dated back to May 7, 2026. Activity increased in early June, prompting the company to publish emergency guidance.

Check Point assesses the actor behind the activity as financially motivated with medium confidence. The company also said the actor appears to use Qilin ransomware and may use the Tox protocol for communication, a pattern often seen in ransomware operations.

• Exploitation began as early as May 7, 2026.
• Check Point opened its investigation on June 4, 2026.
• Attack attempts increased in early June.
• At least one post-compromise case involved Qilin ransomware activity.
• CISA added the flaw to KEV on June 8, 2026.

Which Check Point products are affected?

The vulnerability affects several Check Point product lines when they are configured to use deprecated IKEv1 for the relevant VPN function. Affected products include Mobile Access / SSL VPN, Remote Access VPN, and Spark Firewall.

Rapid7 says the vulnerable configuration applies where gateways accept legacy Remote Access clients and do not require a machine certificate for connections. Rapid7 also notes that four affected version branches have reached end of support.

Check Point lists affected versions across R80.20.X, R80.40, R81, R81.10, R81.10.X, R81.20, R82, R82.00.X, and R82.10. Organizations using any of these branches should check whether their VPN configuration uses IKEv1 and apply the relevant hotfix.

Affected product area	Affected versions listed by Check Point
Mobile Access / SSL VPN	R80.20.X, R80.40, R81, R81.10, R81.10.X, R81.20, R82, R82.00.X, R82.10
Remote Access VPN	R80.20.X, R80.40, R81, R81.10, R81.10.X, R81.20, R82, R82.00.X, R82.10
Spark Firewall	R80.20.X, R80.40, R81, R81.10, R81.10.X, R81.20, R82, R82.00.X, R82.10

CISA set a short federal deadline

CISA’s KEV entry gives federal agencies only three days from the June 8 listing to remediate the flaw. The required action tells agencies to apply vendor mitigations, follow BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable.

The deadline applies directly to U.S. Federal Civilian Executive Branch agencies, but private organizations should treat the alert as an emergency patching signal. CISA adds vulnerabilities to KEV when it has evidence of real-world exploitation.

VPN vulnerabilities remain especially dangerous because they sit at the perimeter. A successful bypass can put attackers inside a network path that defenders often trust more than ordinary internet traffic.

Check Point also fixed CVE-2026-50752

During the CVE-2026-50751 investigation, Check Point’s BLAST platform identified a related vulnerability tracked as CVE-2026-50752. This second flaw also involves certificate validation in deprecated IKEv1.

Check Point says CVE-2026-50752 has a CVSS score of 7.4 and can allow man-in-the-middle interference with site-to-site VPN communications under specific conditions. The company has not observed exploitation of this second vulnerability in the wild.

The CVE-2026-50751 record separately confirms the primary bug is in CISA’s KEV catalog and maps it to improper authentication. Security teams should still patch both flaws because they affect related VPN code paths.

CVE	Description	CVSS	Exploited in the wild?
CVE-2026-50751	Authentication bypass in deprecated IKEv1 for Remote Access and Mobile Access VPN	9.3	Yes
CVE-2026-50752	Certificate validation issue that may allow MitM interference on site-to-site VPN traffic	7.4	No reported exploitation

What organizations should do now

Check Point customers should apply the available hotfixes immediately. The vendor advisory also says incident response teams should audit logs and configurations starting from May 7, 2026, the earliest observed exploitation date.

Organizations that cannot patch immediately should remove support for legacy Remote Access clients, configure Remote Access VPN authentication to IKEv2 only, make Machine Certificate Authentication mandatory, and enable IPS with the latest signatures.

Security teams should also review whether any affected gateways still run end-of-support versions. Legacy VPN branches create two risks at once: exposure to the current zero-day and slower access to long-term support options.

• Apply the Check Point hotfix for affected VPN gateways.
• Disable deprecated IKEv1 where possible.
• Move Remote Access VPN authentication to IKEv2 only.
• Require machine certificate authentication.
• Enable IPS and update signatures.
• Audit logs and VPN configuration changes from May 7, 2026 onward.

Indicators tied to the exploitation campaign

Check Point published indicators of compromise tied to the CVE-2026-50751 exploitation campaign. Rapid7’s analysis says attacker infrastructure included VPS hosts from Kaupo Cloud HK, Shock Hosting, and Vultr Holdings, with some VPS locations matching victim geography.

The indicators below are defanged for safe publication. Teams should use them for hunting and enrichment, but should not rely only on IP and hash matches because infrastructure can rotate quickly.

Type	Indicator
IP address	45.77.149[.]152
IP address	209.182.225[.]136
IP address	38.60.157[.]139
IP address	162.33.177[.]101
IP address	45.76.26[.]42
IP address	144.208.127[.]155
IP address	38.54.88[.]201
IP address	38.54.107[.]167
IP address	66.42.99[.]200
MD5 hash	52fda5c1b9704544f32ee98d9060e689
MD5 hash	51d39aa39478beeac94f2d12f682ecce

Why VPN zero-days remain a ransomware favorite

Ransomware affiliates often target VPNs because they provide remote access into trusted environments. If attackers can bypass authentication, they can begin reconnaissance, credential theft, lateral movement, and data staging before ransomware deployment.

The Check Point incident also fits a broader pattern of attackers targeting edge devices and remote access systems. Help Net Security noted that the actor may also be exploiting VPN-related vulnerabilities in other vendors’ products, including Palo Alto, Fortinet, and F5.

That makes exposure management urgent. Security teams should not only patch Check Point gateways. They should also review the entire remote access stack, including dormant VPN portals, legacy authentication methods, and internet-facing appliances that may be missing recent fixes.

What defenders should check after patching

Applying the hotfix closes the known vulnerability, but it does not prove an organization was not already compromised. Teams should check VPN authentication logs, failed and successful connection events, newly created accounts, internal access from VPN pools, and unusual outbound activity.

According to Help Net Security’s summary, Check Point urged investigators to review activity from May 7, 2026 onward. That window matters because the earliest known exploitation happened about a month before the public advisory.

Organizations should also rotate credentials for accounts that authenticated through affected VPN paths during suspicious windows, especially privileged accounts and service accounts. If ransomware staging is suspected, teams should preserve logs, memory captures where possible, and network telemetry before making disruptive cleanup changes.

FAQ