Check Point has fixed CVE-2026-50751, a critical authentication-bypass flaw in Remote Access VPN, Mobile Access / SSL VPN, and Spark Firewall deployments that still use the deprecated IKEv1 key exchange path. The issue is already being exploited, CISA added it to the Known Exploited Vulnerabilities catalog on June 8, and the federal remediation deadline is June 11, 2026.[1][2]
The practical risk is direct: an unauthenticated remote attacker can establish a VPN session without a valid user password when the affected IKEv1 configuration is present. Check Point says additional post-authentication activity is still needed to reach internal resources or escalate privileges, but that nuance should not make exposed gateways feel low priority. VPN authentication bypasses are perimeter events; once the first gate opens, defenders have to assume credential, session, and lateral-movement follow-up is possible.
Check Point’s public advisory says exploitation started as early as May 7 and increased in early June. The vendor links at least one confirmed post-compromise case to activity associated with a Qilin ransomware affiliate, while Rapid7 says it has also observed a case it attributes to CVE-2026-50751 with high confidence.[1][3] That ransomware context is why this deserves more than a normal patch-cycle ticket.
What defenders should check first
The affected product scope is broad enough to catch both old and current estates: Check Point lists Mobile Access / SSL VPN, Remote Access VPN, and Spark Firewall branches including R80.20.X, R80.40, R81, R81.10, R81.10.X, R81.20, R82, R82.00.X, and R82.10 when the vulnerable deprecated IKEv1 path is in use.[1] Several of those branches are end-of-support, which matters because emergency hotfixing may still leave a longer migration problem.
Start with exposure, not only version numbers. Confirm whether Remote Access VPN or Mobile Access accepts legacy IKEv1 clients, whether machine-certificate authentication is mandatory, and whether any gateway can be reached from the internet on the relevant VPN services. If IKEv1 is not needed, disable the legacy path and move Remote Access VPN authentication to IKEv2 only. Check Point and Rapid7 also point to mandatory machine certificates, current IPS signatures, and removal of legacy remote-access-client support as mitigation paths when a hotfix cannot be applied immediately.[1][3]
For incident response, do not stop at “patched.” Review VPN authentication events, new or unusual remote-access users, gateway configuration changes, outbound retrieval of Linux ELF payloads, and traffic touching known attacker infrastructure back to May 7. Rapid7’s summary includes Check Point-published indicators such as 45.77.149[.]152, 209.182.225[.]136, 38.60.157[.]139, 162.33.177[.]101, 45.76.26[.]42, 144.208.127[.]155, 38.54.88[.]201, 38.54.107[.]167, 66.42.99[.]200, and MD5 hashes 52fda5c1b9704544f32ee98d9060e689 and 51d39aa39478beeac94f2d12f682ecce.[3] Treat those as starting points, not a complete detection strategy.
The pattern is familiar. Recent edge-device stories such as the Palo Alto GlobalProtect VPN bypass and SonicWall Gen6 VPN MFA bypass show why attackers keep returning to remote-access infrastructure: it sits on the perimeter, often carries legacy compatibility baggage, and provides a believable route into internal networks. CVE-2026-50751 is not a generic vulnerability bulletin; it is a reminder to retire IKEv1 wherever it still survives and to verify whether the gateway was touched before the hotfix arrived.
References
- Check Point Research. Security Advisory – Active Exploitation of Check Point VPN Authentication Bypass (CVE-2026-50751). Published June 8, 2026.
- CISA / NVD. CVE-2026-50751 Detail and KEV entry. Updated June 9, 2026.
- Rapid7 Emergent Threat Response. Critical Check Point VPN Zero-Day Exploited in the Wild. Published June 8, updated June 10, 2026.
- CVE Program. CVE-2026-50751 record. Published June 2026.
Leave a Comment