A critical flaw in Check Point's remote access VPN products lets attackers establish a VPN session without valid credentials, and Check Point says it has been exploited in the wild since early May, with at least one intrusion linked to a Qilin ransomware affiliate.
The bug, CVE-2026-50751, is an authentication bypass rated 9.3 in severity. It affects Check Point Remote Access VPN, Mobile Access, and Spark Firewall deployments that still use the deprecated IKEv1 key exchange protocol, accept legacy remote access clients, and do not require a machine certificate. Check Point disclosed it on June 8, 2026, and CISA added it to its Known Exploited Vulnerabilities catalog the same day.
What is affected and how widely
Check Point describes the campaign as limited, affecting several dozen organizations, with activity dating back to May 7, 2026 and rising in early June. The company attributes at least one incident to a Qilin ransomware affiliate with medium confidence, while researchers at Rapid7 say they confirmed two exploitation cases with high confidence. A related flaw found during the investigation, CVE-2026-50752 (severity 7.4), could enable a man in the middle attack on site to site VPN tunnels, though no exploitation of it has been seen.
How the attack works
The vulnerability stems from a logic flaw in how the Remote Access and Mobile Access components validate certificates during the IKEv1 key exchange. An unauthenticated attacker can use it to set up a VPN session with no credentials. Per Check Point, further post-authentication steps are still needed to reach internal resources or escalate privileges, but a foothold inside the VPN is a serious first move. Rapid7's full write up is available in the original report.
What you should do
Apply Check Point's hotfixes on an emergency basis. Notably, four of the nine affected version branches (R80.20.X, R80.40, R81, and R81.10) have reached End of Support, and organizations on those builds should migrate to a supported release. Where patching is not immediate, Check Point advises removing support for the legacy remote access client, forcing IKEv2 only, making machine certificate authentication mandatory, and enabling IPS with the latest signatures. Rapid7 urges defenders to hunt for signs of compromise even after patching, prioritizing forensic log review from May 7 onward. The flaw is the latest in a series of edge appliance authentication bypasses exploited in the wild, alongside PAN-OS GlobalProtect CVE-2026-0257 and Ivanti Sentry CVE-2026-10520.
Indicators of compromise
- Attacker IPs: 45[.]77[.]149[.]152, 209[.]182[.]225[.]136, 38[.]60[.]157[.]139, 162[.]33[.]177[.]101, 45[.]76[.]26[.]42, 144[.]208[.]127[.]155, 38[.]54[.]88[.]201, 38[.]54[.]107[.]167, 66[.]42[.]99[.]200
- Payload hashes (MD5): 52fda5c1b9704544f32ee98d9060e689, 51d39aa39478beeac94f2d12f682ecce
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.