Check Point VPN Zero-Day Exploited by Qilin Ransomware Affiliate — Authentication Bypass Allows VPN Sessions Without Passwords (CVE-2026-50751)
Check Point has disclosed active exploitation of a critical authentication bypass vulnerability in its Remote Access VPN and Mobile Access products, tracked as CVE-2026-50751 with a CVSS score of 9.3. The flaw allows an unauthenticated remote attacker to establish a VPN session without a valid password by exploiting a logic flaw in certificate validation within deployments configured to use the deprecated IKEv1 key exchange protocol.
The vulnerability has been under active exploitation since at least May 7, 2026, with exploitation activity ramping up significantly in June. Check Point first observed suspicious activity on June 4 and has confirmed exploitation targeting a few dozen organizations globally. In at least one case, the post-exploitation phase has been attributed to a Qilin ransomware affiliate.
The affected products span multiple Check Point versions: Security Gateways running R82.10 Jumbo Hotfix Take 19 or below, R82 Jumbo Hotfix Take 103 or below, R81.20 Jumbo Hotfix Take 141 or below, and all end-of-support versions including R81.10, R81, and R80.40. Spark Firewalls running R80.20.X, R81.10.X, and R82.00.X are also affected.
Exploitation requires a specific configuration: VPN Remote Access or Mobile Access must be enabled, IKEv1 must be active for remote access, gateways must accept legacy Remote Access clients, and gateways must not demand a machine certificate for connections. While this narrows the vulnerable population, organizations running legacy VPN configurations — particularly those that never migrated away from IKEv1 — are fully exposed.
The threat actor infrastructure behind the exploitation uses virtual private servers geolocated to match the country of each target organization, making the VPN connections appear to originate domestically. Once access is established, attackers attempt to download malicious ELF binaries from actor-controlled infrastructure for post-exploitation activity.
Check Point noted that the same threat actor infrastructure appears to be exploiting VPN vulnerabilities from other vendors including Palo Alto Networks, Fortinet, and F5, suggesting a coordinated campaign targeting the corporate VPN attack surface broadly. The attackers also appear to use the Tox protocol for communication, a pattern commonly associated with financially motivated ransomware operators.
The investigation also uncovered a second vulnerability in the same VPN components. CVE-2026-50752, scored at CVSS 7.4, could enable an adversary-in-the-middle attack on VPN site-to-site connections, though there is no evidence of real-world exploitation of this flaw.
Action Items:
Apply Check Point's hotfix immediately for all affected Security Gateway and Spark Firewall versions. Organizations still running IKEv1 for remote access VPN should treat migration to IKEv2 as an emergency priority — the deprecated protocol is now a confirmed attack vector with ransomware consequences. Review VPN logs for connections originating from VPS providers geolocated to your country, particularly since May 7. Check whether gateways are configured to accept legacy Remote Access clients without requiring machine certificates — if so, enforce certificate requirements immediately. Monitor for attempted downloads of ELF binaries from external infrastructure following VPN authentication. The overlap with Qilin ransomware operations and simultaneous targeting of Palo Alto, Fortinet, and F5 VPN products means this is part of a broader campaign against enterprise VPN infrastructure — organizations running any of these products should audit their configurations in parallel.
