Security Intelligence
Loading table of contents...
At a glance: A Qilin ransomware affiliate has been actively exploiting a critical authentication bypass in Check Point's Remote Access and Mobile Access VPN gateways since early May. CVE‑2026‑50751 enables unauthorized access to IKEv1‑enabled gateways and creates a direct path for credential compromise, lateral movement, and data theft. Check Point has released fixes, confirmed exploitation, and urges organizations to apply updates immediately.
Threat summary
On June 8, 2026, cybersecurity company Check Point reported active exploitation of its Security Gateway platforms running Remote Access VPN and Mobile Access software blades, including enterprise gateways and Spark Firewall appliances.
The company released hotfixes the same day for Remote Access VPN, Mobile Access / SSL VPN, and Spark Firewall.
Check Point’s Remote Access VPN provides encrypted connectivity and supports multiple authentication methods, using either Internet Key Exchange version 1 (IKEv1) or version 2 (IKEv2) for key exchange. IKEv1 is a legacy protocol still enabled in some environments for compatibility with older clients; when enabled, it exposes the vulnerable code path. Spark appliances, commonly used in small and mid‑size environments, are also affected when configured with IKEv1 for Remote Access VPN or Mobile Access.
The exploited flaw, CVE-2026-50751, is an authentication bypass vulnerability caused by a logic flaw in certificate validation during IKEv1 negotiation. It affects Mobile Access / SSL VPN, Remote Access VPN, and Spark Firewall appliances configured to use IKEv1.
An unauthenticated threat actor could exploit this issue to establish a VPN session without valid credentials, creating an initial access foothold that may enable lateral movement or data access. The vulnerability has a CVSS score of 9.3 and is classified as critical.
Check Point observed suspicious activity on June 4 and reported that exploitation began on May 7, 2026. The company reported that exploitation has been limited to a few dozen organizations globally. One confirmed incident involved post‑compromise activity consistent with Qilin ransomware operations, including data exfiltration using Rclone and communication via the Tox protocol. Qilin ransomware affiliate likely used this newly disclosed flaw to gain unauthorized access to exposed gateways.
Active since 2022, Qilin ransomware is a financially motivated ransomware-as-a-service group whose affiliates conduct intrusions and deploy the malware for profit. The affiliate relied on infrastructure hosted by Kaupo Cloud HK, Shock Hosting, and Vultr Holdings-servers that Check Point noted have also been used in other VPN-related intrusions.
Check Point’s investigation also identified a second flaw, CVE-2026-50752, rated CVSS 7.4, affecting certificate validation in IKEv1 for site‑to‑site VPN configurations. This second issue could enable man‑in‑the‑middle attacks, though no exploitation had been confirmed as of June 8, 2026.
Analysis
Apply the June 8 security hotfixes across affected Check Point gateway platforms running Remote Access VPN and Mobile Access blades, including Spark Firewall appliances.
To identify unauthorized VPN activity, organizations should also review logs and configurations for authentication events, configuration changes, and outbound data transfers dating back to May 7, 2026.
Check Point advice includes searching SmartConsole logs for certificate‑based authentication attempts associated with known adversary infrastructure or certificate attributes linked to the IKEv1 validation flow.
For organizations unable to immediately deploy the hotfixes, interim risk reduction includes disabling IKEv1 where possible, confirming whether legacy clients require it, and strengthening authentication controls until permanent mitigation is applied.
Once hotfixes are deployed, Check Point suggested long‑term hardening using one of three approaches based on whether IKEv1 or legacy Remote Access clients are still required:
- Remove support for legacy Remote Access clients. This is appropriate for organizations that no longer rely on older VPN clients, as it eliminates IKEv1 entirely.
- Configure Remote Access VPN authentication to IKEv2 only. Suitable for environments that still require Remote Access VPN but can standardize on modern clients that support IKEv2.
- Make machine certificate authentication mandatory. Intended for organizations that must temporarily retain IKEv1 for compatibility reasons but can enforce certificate‑based validation until full migration is possible.
Stay on top of emerging threats like this.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
