Check Point Research has uncovered active exploitation of CVE-2026-50751, a critical authentication bypass vulnerability (CVSS 9.3) in Check Point Remote Access VPN and Mobile Access deployments, with confirmed post-compromise activity linked to the Qilin ransomware gang.
CVE-2026-50751 targets deployments configured to use the deprecated IKEv1 key exchange protocol. By exploiting a logic flaw in certificate validation, an unauthenticated remote attacker can establish a VPN session without a valid user password, effectively bypassing all authentication requirements.
The flaw affects Mobile Access / SSL VPN, Remote Access VPN, and Spark Firewall products across versions R80.20.X through R82.10. While initial access is gained through the bypass, additional post-authentication steps are required to access internal resources or escalate privileges.
Check Point Research launched its investigation on June 4, 2026, following indications of suspicious activity, tracing exploitation attempts back to May 7, 2026.
Exploitation attempts escalated sharply in early June 2026, targeting a few dozen organizations globally. Incident response teams should prioritize forensic log audits and configuration reviews beginning from the earliest observed exploitation date.
The threat actor is assessed with medium confidence to be financially motivated, leveraging Qilin Linux ransomware binaries and attempting to download malicious ELF files from actor-controlled infrastructure.
The actor likely uses the Tox protocol for command-and-control communication, a pattern commonly associated with ransomware operators, and is believed to be simultaneously exploiting VPN vulnerabilities disclosed by Palo Alto, Fortinet, and F5.
Attacker infrastructure was hosted across Kaupo Cloud HK, Shock Hosting, and Vultr Holdings, with VPS geolocation correlated to victim geography in several cases.
Second Vulnerability – CVE-2026-50752
During the CVE-2026-50751 investigation, Check Point’s agentic AI code security platform BLAST identified a related flaw: CVE-2026-50752 (CVSS 7.4).
This vulnerability impacts certificate validation in the deprecated IKEv1 key exchange and can enable man-in-the-middle (MitM) interference on site-to-site VPN communications under specific conditions. While not yet observed in active exploitation, customers are urged to apply updates proactively.
| CVE | Description | CVSS | Affected Products | In the Wild |
|---|---|---|---|---|
| CVE-2026-50751 | Auth bypass via IKEv1 certificate validation flaw | 9.3 | Mobile Access/SSL VPN, Remote Access VPN, Spark Firewall | YES |
| CVE-2026-50752 | MitM condition in IKEv1 certificate validation | 7.4 | Security Gateways, Spark Firewall | NO |
Indicators of Compromise (IOCs)
Malicious IPs:
- 45.77.149[.]152, 209.182.225[.]136, 38.60.157[.]139, 162.33.177[.]101, 45.76.26[.]42
- 144.208.127[.]155, 38.54.88[.]201, 38.54.107[.]167, 66.42.99[.]200
File Hashes (MD5):
52fda5c1b9704544f32ee98d9060e68951d39aa39478beeac94f2d12f682ecce
Mitigations
Check Point strongly urges all customers on affected versions to immediately apply the released hotfix for their Security Gateways. Organizations unable to patch instantly should take the following interim steps:
- Remove support for legacy remote access clients.
- Configure Remote Access VPN Authentication to IKEv2 only.
- Set Machine Certificate Authentication as mandatory.
- Enable IPS and download the latest signatures.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
