Check Point VPN Authentication Bypass (CVE-2026-50751) – Active Exploitation Confirmed
Key Takeaways
CVE-2026-50751 is a critical Check Point VPN authentication bypass vulnerability affecting IKEv1-enabled deployments. Check Point has confirmed active exploitation in the wild, with observed activity linked to Qilin ransomware affiliates. Organizations should immediately apply the available hotfix or disable IKEv1 if patching cannot be completed immediately.
Check Point VPN authentication bypass: What security teams need to know
Check Point’s advisory dropped on June 8th about a bug in their Remote Access VPN that basically lets someone bypass login entirely – no password needed, they just get in.
It’s already being exploited in the wild and Check Point themselves confirmed that at least one of the attacked organizations ended up with Qilin ransomware.
Patch is available, so if we or any of our clients are running Check Point VPN with IKEv1 still on, that needs to be the first thing we sort today.
What is happening with the Check Point IKEv1 VPN exploit?
The actual vulnerability
The issue is how Check Point handles certificate validation during IKEv1 key exchange. There’s a logic flaw that an attacker can abuse to skip the password and still get a valid VPN session. The authentication step simply doesn’t happen.
While investigating this, Check Point also found a second bug – CVE-2026-50752 (CVSS 7.4) – in the same IKEv1 code. That one could allow a man-in-the-middle attack on site-to-site VPN tunnels. Not exploited yet, but same hotfix covers it so there is no reason to leave it.
Which Check Point products and versions are affected?
- Remote Access VPN, Mobile Access, SSL VPN, Spark Firewall, Security Gateways
- Versions: R80.20.X, R80.40, R81, R81.10, R81.10.X, R81.20, R82, R82.00.X, R82.10
- Only exploitable if IKEv1 is still enabled. Already using IKEv2 only? You’re fine.
- R80.20.X, R80.40, R81, R81.10 are all end-of-support – if anyone is still on these, that’s a separate conversation that needs to happen
How long has the Check Point VPN flaw been actively exploited?
Check Point started investigating on June 4th, but when they dug into it, they found exploitation going back to May 7th. So, attackers had about a month of unrestricted activity before this became public. Advisory and hotfix came out on June 8th. Since it’s now public, scanning is going to ramp up fast.
Organizations leveraging Managed Detection and Response (MDR) Services or SOC-as-a-Service can use historical threat hunting to identify indicators of compromise and potential lateral movement.
Who is exploiting the Check Point VPN vulnerability?
From the post-exploitation activity Check Point observed, they’re linking this to a Qilin ransomware affiliate. The group is using the Tox protocol for C2, which is something we’ve seen with ransomware crews before.
Their attack infrastructure runs across Kaupo Cloud HK, Shock Hosting, and Vultr.
They seem to match their VPS location to their target geography – so attacks on Taiwanese orgs came from Taiwan-based servers, probably to blend into local traffic.
Also worth noting – this isn’t a Check Point-only campaign. The same group is believed to be exploiting VPN bugs in Palo Alto, Fortinet, and F5 at the same time. They’re just going after anything perimeter-facing that has an open vuln.
IOCs to block and hunt for
Attacker IPs (defanged):
- 45.77.149[.]152
- 209.182.225[.]136
- 38.60.157[.]139
- 162.33.177[.]101
- 45.76.26[.]42
- 144.208.127[.]155
- 38.54.88[.]201
- 38.54.107[.]167
- 66.42.99[.]200
File Hashes (MD5):
- 52fda5c1b9704544f32ee98d9060e689
- 51d39aa39478beeac94f2d12f682ecce
What is the business impact of the Check Point VPN authentication bypass (CVE-2026-50751)
The simple version: an attacker reaches the gateway, skips login, and obtains a VPN session.
From there they still need to move laterally to do real damage, but getting past the perimeter is the hardest part, and this vulnerability makes it easy for them.
With a ransomware group confirmed behind this, we’re not talking about data exfil quietly happening in the background – we’re talking servers getting encrypted and operations going down. The Linux payload they’re dropping goes after infrastructure, not just endpoints.
Also, since this group is hitting multiple VPN vendors simultaneously, even if Check Point isn’t your primary concern, it’s a good reminder to check everything perimeter-facing right now.
What actions should security teams take now?
- Apply the hotfix – sk185033 for CVE-2026-50751 and sk185035 for CVE-2026-50752. Anything internet-facing gets done first, no exceptions.
- Can’t patch right now? Disable IKEv1 in Remote Access settings. That kills the attack path until you get the patch done.
- Go back and check logs from May 7th – Look for VPN sessions without a corresponding MFA event, logins from unusual geos or ASNs, and any of the attacker IPs in your firewall or SIEM logs. If anything looks off, assume compromise first and investigate from there.
- Push IOCs into your tooling – 9 IPs go into the firewall blocklist, 2 MD5 hashes go into EDR. Do this now regardless of whether you’ve patched yet.
- Check the rest of your perimeter – Same actor, same time, Palo Alto + Fortinet + F5 VPN bugs. Confirm patch status across all of them.
Additional Resources
- Check Point Advisory – CVE-2026-50751 (sk185033): https://support.checkpoint.com/results/sk/sk185033
- Check Point Advisory – CVE-2026-50752 (sk185035): https://support.checkpoint.com/results/sk/sk185035
- Check Point Blog (June 8, 2026): https://blog.checkpoint.com/security/check-point-releases-important-hotfix-for-vulnerabilities-in-deprecated-ikev1-vpn-protocol/
- Qilin Ransomware Profile – Ctrl Alt Intel: https://ctrlaltintel.com/research/Qilin/
