Check Point has disclosed a critical security vulnerability affecting Remote Access VPN and Mobile Access deployments that still rely on the deprecated IKEv1 key exchange protocol. The flaw is currently being exploited in real-world attacks against organizations worldwide.
The vulnerability, tracked as CVE-2026-50751, carries a CVSS score of 9.3 and stems from a logic flaw in certificate validation. According to Check Point, attackers can exploit the weakness to bypass authentication and establish a VPN connection without possessing a valid user password.
Authentication Bypass Vulnerability
Researchers explained that the flaw allows an unauthenticated remote attacker to create a VPN session by exploiting a certificate validation weakness.
“By exploiting a logic flaw in certificate validation, an attacker can establish a VPN session without possession of a valid password, effectively bypassing authentication requirements,” Check Point stated.
While successful exploitation grants VPN access, attackers must still perform additional post-authentication actions to access internal resources or escalate privileges within the targeted environment.
Affected Products
The vulnerability impacts several Check Point products and software versions, including:
Security Gateways
- R82.10 Jumbo Hotfix Take 19 or earlier
- R82 Jumbo Hotfix Take 103 or earlier
- R81.20 Jumbo Hotfix Take 141 or earlier
- R81.10 (End of Support)
- R81 (End of Support)
- R80.40 (End of Support)
Spark Firewalls
- R80.20.X (End of Support)
- R81.10.X
- R82.00.X
Conditions Required for Exploitation
To successfully exploit CVE-2026-50751, the following conditions must be present:
- VPN Remote Access or Mobile Access is enabled
- IKEv1 is enabled for remote access connections
- Gateways allow legacy Remote Access clients
- Machine certificates are not required for authentication
Organizations meeting these conditions are considered at elevated risk and should apply security updates immediately.
Active Exploitation Observed Since May
Check Point reported that it first detected signs of suspicious activity on June 4, 2026. However, investigators traced the earliest known exploitation attempts back to May 7, 2026.
The company noted that attack activity has increased significantly during June and has targeted a limited number of organizations globally.
In at least one investigated incident, the post-compromise activity was linked to a Qilin ransomware affiliate, indicating potential ransomware deployment following successful VPN access.
Attack Infrastructure and Tactics
Researchers observed threat actors using a network of virtual private servers (VPS) to conduct attacks. The infrastructure appears carefully designed, with VPS servers located in specific countries being used to target organizations within those same regions.
After gaining access, attackers attempted to download malicious ELF payloads from infrastructure under their control.
Check Point also believes the threat actors may be exploiting additional VPN vulnerabilities affecting products from other major vendors, including Palo Alto Networks, Fortinet, and F5.
Investigators identified indicators suggesting the use of the Tox peer-to-peer communication protocol, a tool frequently associated with financially motivated ransomware operations.
Links to Previous Qilin Activity
The findings align with previous research published by Ctrl-Alt-Intel, which documented how Qilin ransomware operators have increasingly targeted corporate VPN appliances as an initial access vector.
Despite the ongoing attacks, Check Point stated that there is currently no evidence indicating that the vulnerability has become widely available to multiple threat actors.
According to the company, the attacks appear opportunistic in nature, with adversaries focusing on organizations that remain vulnerable rather than targeting specific industries or sectors.
Second Vulnerability Discovered
During its investigation, Check Point researchers uncovered a second VPN-related vulnerability, tracked as CVE-2026-50752 and assigned a CVSS score of 7.4.
The flaw could enable an attacker-in-the-middle (AitM) attack against VPN site-to-site connections. However, the company emphasized that there is currently no evidence of active exploitation of this vulnerability in the wild.
Mitigation Recommendations
Organizations using affected Check Point VPN deployments should:
- Apply the latest security updates and hotfixes immediately.
- Disable the deprecated IKEv1 protocol wherever possible.
- Require machine certificates for VPN authentication.
- Review VPN access logs for signs of suspicious activity.
- Monitor for unauthorized VPN sessions and unusual post-authentication behavior.
- Verify that all legacy remote access configurations are still required.
Given the active exploitation of CVE-2026-50751, security teams are strongly encouraged to assess their VPN infrastructure and implement remediation measures without delay.
