Critical Authentication Bypass in Check Point VPN Exploited by Ransomware Group

Summary

A critical vulnerability in Check Point's VPN products, identified as CVE-2026-50751, has been actively exploited since May 7. This security flaw, which allows attackers to bypass authentication by exploiting a logic flow weakness in the validation process of Remote Access and Mobile Access certificates, exists within the deprecated IKEv1 key exchange protocol. The exploitation has been primarily targeted at a few dozen organizations globally, with confirmed activity linked to a Qilin ransomware affiliate.

What Happened

Check Point disclosed that CVE-2026-50751 is a critical-severity authentication bypass vulnerability affecting its VPN and firewall products. This flaw enables remote attackers to establish VPN sessions without valid credentials by exploiting a logic flow weakness in the validation process of Remote Access and Mobile Access certificates within the deprecated IKEv1 key exchange protocol.

Exploitation Status

The exploitation of CVE-2026-50751 has been confirmed since May 7, with activity increasing in early June. Check Point notes that the observed exploitation is limited to a few dozen targeted organizations globally. The company also identified at least one attack linked to a Qilin ransomware affiliate. Additionally, Check Point suspects that the threat actor behind this vulnerability may be exploiting other VPN-related vulnerabilities from vendors like Palo Alto, Fortinet, and F5.

Indicators of Compromise

Check Point has released indicators of compromise (IoCs) related to CVE-2026-50751. These include IP addresses such as 45.77.149[.]152 and 209.182.225[.]136, among others. The actors are believed to use the Tox protocol for communication, a pattern often associated with financially motivated ransomware groups.

Detection Opportunities

Incident response teams should prioritize forensic log audits and configuration reviews starting from May 7, 2026, when exploitation attempts began. Check Point's investigation revealed that attackers used dedicated virtual private server (VPS) infrastructure hosted by providers like Kaupo Cloud HK, Shock Hosting, and Vultr Holdings.

Technical Details

CVE-2026-50751 allows attackers to bypass user authentication by exploiting a logic flow weakness in the certificate validation process of Remote Access and Mobile Access. This vulnerability enables remote access VPN connections without valid user passwords. During their investigation, Check Point Research identified an additional vulnerability, CVE-2026-50752, which impacts certificate validation in the IKEv1 key exchange but has not been exploited in the wild.

Affected Products and Fixed Versions

The vulnerabilities affect Check Point's Security Gateways configured to use the deprecated IKEv1 key exchange protocol. Check Point has released hotfixes for these vulnerable appliances. Organizations using IKEv1 are strongly encouraged to apply these updates immediately.

Defender Guidance

Organizations should:

• Apply the available security updates from Check Point immediately.
• Conduct forensic log audits and configuration reviews starting from May 7, 2026.
• Monitor for IoCs associated with CVE-2026-50751, including specific IP addresses and patterns of communication.
• Consider transitioning away from deprecated IKEv1 key exchange protocols to mitigate risks.

What Remains Unclear

While Check Point has provided detailed insights into the exploitation of CVE-2026-50751, it remains unclear how widespread the exploitation might become beyond the few dozen targeted organizations observed so far. Additionally, the full scope of other VPN-related vulnerabilities being exploited by the same threat actor is not yet confirmed.