CVE-2026-50751: Check Point VPN Auth Bypass Exploited by Qilin — IKEv1 Sessions Without a Password

Check Point disclosed on June 8, 2026 that CVE-2026-50751, an authentication bypass in its Remote Access VPN and Mobile Access deployments, is being actively exploited in the wild. The flaw lets an unauthenticated remote attacker stand up a VPN session without a valid user password. At least one intrusion has been tied to a Qilin ransomware affiliate, and the earliest observed exploitation dates back to May 7, 2026 — roughly a month before a patch existed. Hotfixes are out now. If you terminate remote access on a Check Point gateway using legacy IKEv1, treat this as a live incident.

What’s Vulnerable

CVE-2026-50751 (CVSS 9.3) affects Mobile Access / SSL VPN, Remote Access VPN, and Spark Firewall configurations across R80.20.X (EOS), R80.40 (EOS), R81 (EOS), R81.10 (EOS), R81.10.X, R81.20, R82, R82.00.X, and R82.10.

This is a conditional exposure, not a blanket one. Per Check Point, the bug only affects deployments that:

• are configured to use the deprecated IKEv1 key exchange protocol, and
• accept legacy Remote Access clients, and
• do not require a machine certificate for connections.

A companion flaw, CVE-2026-50752 (CVSS 7.4), affects certificate validation in the same deprecated IKEv1 path and can enable a man-in-the-middle attack on site-to-site VPN connections. Check Point has not observed it exploited in the wild but found it during the CVE-2026-50751 investigation using its in-house agentic code-analysis tooling. Patch both.

Technical Details

The vulnerability is a logic flaw in the certificate validation routine for Remote Access and Mobile Access under IKEv1. By exploiting that weakness, an attacker satisfies the gateway’s authentication check and negotiates a remote access VPN tunnel without ever presenting valid credentials. Check Point notes that additional post-authentication activity is required to reach internal resources or escalate — so the bypass grants a tunnel and a foothold, not instant domain admin. For an edge VPN concentrator, that distinction offers little comfort: the thing on the far side of the tunnel is your internal network.

Exploitation Timeline

Check Point traced the earliest exploitation to May 7, 2026. Suspicious activity surfaced on June 4, triggering the investigation, and exploitation attempts surged in early June. Disclosure and hotfixes landed June 8. So far, impact is limited to a few dozen targeted organizations worldwide.

Actor Profile

Check Point assesses with medium confidence that the operator is financially motivated and linked to Qilin (the RaaS formerly branded “Agenda,” active since August 2022 with ~400 claimed victims). Post-exploitation, researchers saw overlap between Qilin Linux ransomware binaries and ELF payloads pulled from attacker infrastructure. The actor appears to also exploit known VPN bugs from Palo Alto, Fortinet, and F5, uses the Tox protocol for communications, and runs attacks from dedicated VPS infrastructure (Kaupo Cloud HK, Shock Hosting, Vultr) — in some cases geolocated to match the victim’s region.

Published IP IOCs include 45.77.149.152, 209.182.225.136, 38.60.157.139, 162.33.177.101, 45.76.26.42, 144.208.127.155, 38.54.88.201, 38.54.107.167, and 66.42.99.200. File hashes (MD5): 52fda5c1b9704544f32ee98d9060e689, 51d39aa39478beeac94f2d12f682ecce.

What To Do Right Now

1. Apply the hotfix to all affected Security Gateways. See Check Point sk185033 (CVE-2026-50751) and sk185035 (CVE-2026-50752). This is the only complete fix.
2. If you can’t patch immediately, harden remote access config: remove support for the legacy Remote Access client, set VPN authentication to IKEv2 only in Global Properties, make machine certificate authentication mandatory, and enable IPS with current signatures.
3. Hunt retroactively from May 7, 2026. Audit VPN and gateway logs for sessions established without a corresponding successful credential auth, unexpected VPN IP assignments, and connections from the IOC IP ranges. Review configuration changes on edge devices.
4. Block/alert on the published IOCs and check for outbound ELF downloads or Tox traffic from gateway-adjacent hosts.

The pattern here is now familiar — Palo Alto, Fortinet, F5, and Cisco have all shipped actively exploited VPN and edge zero-days in 2026. Internet-facing remote access remains the front door, and ransomware affiliates are camped on it.

References

• Check Point Security Advisory — CVE-2026-50751 (June 8, 2026)
• Check Point support article sk185033
• Check Point support article sk185035
• BleepingComputer: Check Point links VPN zero-day attacks to Qilin ransomware gang
• Help Net Security: Qilin ransomware affiliate exploited Check Point VPN zero-day