Key Takeaways
CVE-2026-50751 is a critical Check Point VPN authentication bypass vulnerability affecting IKEv1-enabled deployments. Check Point has confirmed active exploitation in the wild, with observed activity linked to Qilin ransomware affiliates. Organizations should immediately apply the available hotfix or disable IKEv1 if patching cannot be completed immediately.
Check Point’s advisory dropped on June 8th about a bug in their Remote Access VPN that basically lets someone bypass login entirely – no password needed, they just get in.
It’s already being exploited in the wild and Check Point themselves confirmed that at least one of the attacked organizations ended up with Qilin ransomware.
Patch is available, so if we or any of our clients are running Check Point VPN with IKEv1 still on, that needs to be the first thing we sort today.
The actual vulnerability
The issue is how Check Point handles certificate validation during IKEv1 key exchange. There’s a logic flaw that an attacker can abuse to skip the password and still get a valid VPN session. The authentication step simply doesn’t happen.
While investigating this, Check Point also found a second bug – CVE-2026-50752 (CVSS 7.4) – in the same IKEv1 code. That one could allow a man-in-the-middle attack on site-to-site VPN tunnels. Not exploited yet, but same hotfix covers it so there is no reason to leave it.
Which Check Point products and versions are affected?
Check Point started investigating on June 4th, but when they dug into it, they found exploitation going back to May 7th. So, attackers had about a month of unrestricted activity before this became public. Advisory and hotfix came out on June 8th. Since it’s now public, scanning is going to ramp up fast.
Organizations leveraging Managed Detection and Response (MDR) Services or SOC-as-a-Service can use historical threat hunting to identify indicators of compromise and potential lateral movement.
From the post-exploitation activity Check Point observed, they’re linking this to a Qilin ransomware affiliate. The group is using the Tox protocol for C2, which is something we’ve seen with ransomware crews before.
Their attack infrastructure runs across Kaupo Cloud HK, Shock Hosting, and Vultr.
They seem to match their VPS location to their target geography – so attacks on Taiwanese orgs came from Taiwan-based servers, probably to blend into local traffic.
Also worth noting – this isn’t a Check Point-only campaign. The same group is believed to be exploiting VPN bugs in Palo Alto, Fortinet, and F5 at the same time. They’re just going after anything perimeter-facing that has an open vuln.
IOCs to block and hunt for
Attacker IPs (defanged):
File Hashes (MD5):
The simple version: an attacker reaches the gateway, skips login, and obtains a VPN session.
From there they still need to move laterally to do real damage, but getting past the perimeter is the hardest part, and this vulnerability makes it easy for them.
With a ransomware group confirmed behind this, we’re not talking about data exfil quietly happening in the background – we’re talking servers getting encrypted and operations going down. The Linux payload they’re dropping goes after infrastructure, not just endpoints.
Also, since this group is hitting multiple VPN vendors simultaneously, even if Check Point isn’t your primary concern, it’s a good reminder to check everything perimeter-facing right now.