All stories
highRansomware

Critical VPN Bypass Exploited by Ransomware Gang: Immediate Patch Urged for Security

Check Point has patched a critical authentication bypass vulnerability (CVE-2026-50751) affecting Remote Access VPN and Mobile Access deployments using the deprecated IKEv1 protocol, which was exploited in attacks linked to the Qilin ransomware group. The flaw allows unauthenticated attackers to establish remote access connections without valid credentials. Affected organizations are urged to apply security updates immediately or implement mitigation measures if patching is not feasible.

Harith Dilshan·Jun 8, 2026·4 min read·Primary source

Summary

Israeli cybersecurity firm Check Point has issued urgent security updates to address a critical vulnerability (CVE-2026-50751) in its Remote Access VPN and Mobile Access deployments configured with the deprecated IKEv1 key exchange protocol. This flaw, which can be exploited by unauthenticated attackers to bypass authentication, was actively exploited in zero-day attacks beginning May 7, 2026. The Qilin ransomware group has been linked to these attacks, having leveraged the vulnerability to gain unauthorized access to targeted organizations worldwide.

What Happened

The vulnerability affects deployments using the deprecated IKEv1 key exchange protocol, allowing attackers to bypass authentication and establish remote VPN connections without valid credentials. Check Point's investigation revealed that this flaw was exploited in zero-day attacks starting May 7, with a surge of activity observed in early June. The Qilin ransomware group has been identified as one of the actors exploiting this vulnerability.

Technical Details

CVE-2026-50751 is an authentication bypass vulnerability affecting Check Point's Remote Access VPN and Mobile Access deployments configured to use IKEv1. By exploiting a logic flaw in certificate validation, attackers can establish VPN sessions without valid passwords. Additionally, Check Point discovered CVE-2026-50752 during their investigation, which impacts certificate validation in the same protocol but has not yet been exploited in the wild.

Affected Products and Fixed Versions

The vulnerability affects deployments configured to use the deprecated IKEv1 key exchange protocol. Check Point advises customers using this configuration to apply the latest security updates immediately. For those unable to patch promptly, mitigation measures include removing support for legacy remote access clients and configuring Remote Access VPN Authentication to IKEv2 only.

Exploitation Status

Active exploitation of CVE-2026-50751 has been confirmed by Check Point Research, with attacks targeting a few dozen organizations globally. One incident involved post-compromise activity linked to the Qilin ransomware group. While CVE-2026-50752 has not been exploited in the wild, it poses a potential risk for man-in-the-middle attacks on site-to-site VPN connections.

Indicators of Compromise

Check Point identified several indicators suggesting exploitation by financially motivated actors using Qilin ransomware. These include:

  • Use of dedicated virtual private server (VPS) infrastructure from providers like Kaupo Cloud HK, Shock Hosting, and Vultr Holdings.
  • Correlation between victim organization geography and attacker VPS geolocation.
  • Observed IPs: 45.77.149[.]152, 209.182.225[.]136, 38.60.157[.]139, 162.33.177[.]101, 45.76.26[.]42, 144.208.127[.]155, 38.54.88[.]201, 38.54.107[.]167, 66.42.99[.]200.
  • Hashes: 52fda5c1b9704544f32ee98d9060e689, 51d39aa39478beeac94f2d12f682ecce.

Detection Opportunities

Security teams should prioritize forensic log audits and configuration reviews starting from May 7, 2026. Monitoring for suspicious activity involving the identified IPs and hashes can help detect exploitation attempts. Additionally, ensuring that VPN configurations do not support deprecated IKEv1 protocols is crucial for mitigating potential exposure.

What Remains Unclear

While Check Point has confirmed active exploitation of CVE-2026-50751, details about the full scope of affected organizations and the specific methods used by attackers remain limited. Further investigation may reveal additional vulnerabilities or attack vectors associated with this incident.

Defender Guidance

Defenders should:

  1. Apply security updates to all affected Security Gateways immediately.
  2. If unable to patch promptly, remove support for legacy remote access clients and configure Remote Access VPN Authentication to IKEv2 only.
  3. Set Machine Certificate Authentication as mandatory.
  4. Enable IPS and download the latest signatures.
  5. Conduct forensic log audits and configuration reviews starting from May 7, 2026.
  6. Monitor for suspicious activity involving identified IPs and hashes.

By following these steps, organizations can mitigate the risk posed by CVE-2026-50751 and protect their networks from potential exploitation.

Title: Check Point Patches Critical VPN Flaw Exploited in Qilin Ransomware Attacks

Tags: Check Point, Remote Access VPN, IKEv1, authentication bypass, CVE-2026-50751, Qilin ransomware

Sources

  1. https://www.bleepingcomputer.com/news/security/check-point-links-vpn-zero-day-attacks-to-qilin-ransomware-gang/
  2. https://blog.checkpoint.com/security/check-point-releases-important-hotfix-for-vulnerabilities-in-deprecated-ikev1-vpn-protocol/
#Ransomware#h4rithd#news#HarithDilshan#Ransomware#CyberSecurity#InfoSec#ThreatIntel
Harith Dilshan

Harith Dilshan

- Offensive Security Engineer | Ethical Hacker | Penetration Tester -

Related reading

criticalRansomware

Critical Oracle PeopleSoft Zero-Day Exploited by ShinyHunters: Over 100 Organizations at Risk

Jun 11, 2026 · 3 min readhighRansomware

Critical Authentication Bypass in Check Point VPN Exploited by Ransomware Group

Jun 9, 2026 · 3 min readhighRansomware

U.S. Government Urged to Patch Critical Check Point VPN Flaw Exploited by Ransomware

Jun 9, 2026 · 3 min read