What happened?
Check Point Research identified active exploitation of CVE-2026-50751, a critical authentication bypass vulnerability (CVSS 9.3) affecting Remote Access VPN and Mobile Access deployments that are configured to use the deprecated IKEv1 protocol. The flaw exists in deployments configured to use the deprecated IKEv1 protocol, permit legacy Remote Access clients, and not enforce Machine Certificate Authentication. By exploiting a logic flaw in certificate validation, an attacker can establish an unauthorised VPN session without valid credentials. Check Point has stated that additional post-authentication steps are required before an attacker can access internal resources or escalate privileges.
Exploitation predates public disclosure by over a month. Check Point first detected suspicious activity on 4 June 2026 and determined that confirmed exploitation dates back to 7 May 2026. Activity has so far been limited to several dozen targeted organisations globally, though exploitation increased in pace during early June.
Check Point has attributed one post-compromise incident, with medium confidence, to a Qilin ransomware affiliate. The assessed threat actor is financially motivated, with observed use of the Tox protocol for communications. Notably, infrastructure associated with this activity has also been used to target VPN vulnerabilities in Palo Alto Networks, Fortinet, and F5 devices - indicating a threat actor with a broad focus on internet-facing remote access infrastructure across vendors.
On 8 June 2026, CISA added CVE-2026-50751 to its Known Exploited Vulnerabilities (KEV) catalogue and directed U.S. Federal Civilian Executive Branch agencies to remediate by 11 June 2026.
So what?
This vulnerability matters because it targets an entry point that many organisations treat as a trusted boundary: the VPN gateway. A successful bypass creates an authenticated-looking session without valid credentials, giving an attacker a foothold inside the network perimeter from which further activity can proceed.
The exposure is compounded by the end-of-service status of several affected product branches, including R81.10, R81, R80.40, and R80.20.X. Organisations running these releases cannot receive vendor patches and face a harder choice: upgrade, isolate, or accept residual risk with interim mitigations in place.
The broader threat context is worth noting. Infrastructure linked to this campaign has also been used against VPN vulnerabilities in Palo Alto Networks, Fortinet, and F5 products - consistent with a wider pattern in which financially motivated actors systematically target internet-facing remote access infrastructure across multiple vendors as a preferred initial access route.
Qilin is a Ransomware-as-a-Service (RaaS) operation active since 2022, with over 400 publicly claimed victims as of June 2026. If Check Point's medium-confidence attribution is correct, wider affiliate adoption of this vulnerability could substantially increase exploitation activity. Organisations with unpatched or end-of-service deployments should treat this as a high-priority exposure requiring immediate action.
What should I do?
As per Check Point's official advisory (SK185033):
- Patch immediately
Apply the hotfix, upgrading to the minimum required Jumbo Hotfix Take or software version for your deployment.
- Apply interim mitigations where immediate patching is not possible
Check Point recommends disabling legacy Remote Access client support, restricting Remote Access VPN authentication to IKEv2, enabling IPS protections with updated signatures, and enforcing Machine Certificate Authentication where operationally feasible.
- Hunt for signs of prior compromise
Review activity dating back to 7 May 2026 - the earliest confirmed exploitation date. Focus on VPN authentication logs for unexpected IKEv1 connections, anomalous source IP addresses, unusual authentication patterns, newly established VPN sessions, and remote authentication from accounts with no legitimate reason to connect remotely.
- Block and monitor known indicators of compromise (IOCs)
Check Point has published attacker-controlled IP addresses and other indicators associated with observed exploitation activity. Block these indicators where appropriate and review historical network telemetry for prior communication.
- Prioritise end-of-service gateways
Devices running end-of-service versions, including R81.10, R81, R80.40, and R80.20.X, will not receive vendor patches. Organisations should prioritise upgrading, replacing, or isolating these systems.