Check Point Research has issued a critical alert regarding the active exploitation of a significant vulnerability affecting Remote Access VPN and Mobile Access deployments. The flaw, identified as CVE-2026-50751, carries a high CVSS score of 9.3 and pertains to an authentication bypass within insecurely configured IKEv1 key exchange protocols. This vulnerability poses a direct threat to network security, potentially allowing unauthenticated attackers to gain unauthorized VPN access.
The vulnerability stems from a logic flow weakness in the certificate validation process. An unauthenticated remote attacker can exploit this flaw to bypass user authentication and establish a remote access VPN connection without needing valid user credentials. While this bypass grants initial VPN access, Check Point notes that further post-authentication actions would be necessary for attackers to access internal resources or escalate privileges within a compromised network.
Exploitation of Check Point VPN Vulnerability Underway
The exploitation of the Check Point VPN vulnerability, CVE-2026-50751, has been observed in the wild, with the earliest signs of suspicious activity detected on June 4, 2026. The earliest confirmed exploitation incident dates back to May 7, 2026. Indications suggest that exploitation efforts have intensified since the beginning of June. Check Point estimates that the exploitation activity has been concentrated, impacting a few dozen targeted organizations globally.
Conditions for Exploitation
Successful exploitation of CVE-2026-50751 is contingent upon several specific configuration conditions within the affected Check Point products. These include Remote Access or Mobile Access being enabled, the older IKEv1 protocol being active for remote access, and the gateways being configured to accept legacy Remote Access clients. Furthermore, the absence of a requirement for a machine certificate for connections is a prerequisite for successful exploitation.
The affected products and versions include Security Gateways R82.10 Jumbo Hotfix Take 19 and below, R82 Jumbo Hotfix Take 103 and below, R81.20 Jumbo Hotfix Take 141 and below, R81.10 (EOS), R81 (EOS), and R80.40 (EOS). Spark Firewalls affected are R80.20.X (EOS), R81.10.X, and R82.00.X.
In one documented case, the post-exploitation phase following the breach has been linked to an affiliate of the Qilin ransomware. This association suggests a financially motivated cybercrime operation. Check Point researchers believe that the threat actor infrastructure behind these attacks may also be leveraging other vulnerabilities affecting VPN solutions from vendors like Palo Alto Networks, Fortinet, and F5.
Indicators suggest that the threat actors may be employing the Tox protocol for their command and control communications. This is a pattern frequently observed among financially driven ransomware gangs. The operational methodology observed involves the use of virtual private servers (VPS) for conducting attacks, with attackers often geolocating VPS servers to specific countries to target organizations within those borders.
Once unauthorized access is gained, the attackers have been observed attempting to download malicious ELF files from infrastructure under their control. These findings align with previous reports from cybersecurity firms, such as Ctrl-Alt-Intel, detailing the abuse of corporate VPN appliances by ransomware groups for initial network access.
Discovery of a Secondary Vulnerability
During their investigation into the affected VPN components, Check Point researchers also identified a second vulnerability, CVE-2026-50752, with a CVSS score of 7.40. This flaw could potentially enable an adversary-in-the-middle (AitM) attack on VPN site-to-site connections. However, there is currently no evidence indicating that this secondary vulnerability has been exploited in real-world attacks.
Organizations utilizing Check Point VPN solutions are strongly advised to review their configurations and ensure they are not using the deprecated IKEv1 protocol for remote access. Applying the latest security updates and hotfixes is crucial to mitigate the risk of exploitation. The ongoing exploitation activity highlights the persistent threat landscape and the importance of proactive security measures, especially for network perimeter defenses.