Threat Advisories

CVE-2026-50751: Critical Check Point VPN Authentication Bypass Under Active Exploitation

5 min read
CVE-2026-50751: Critical Check Point VPN Authentication Bypass Under Active Exploitation

CVE-2026-50751 is a critical authentication bypass in Check Point Remote Access VPN and Mobile Access deployments that use the deprecated IKEv1 key exchange. It carries a CVSS score of 9.3, it's being actively exploited in the wild, and CISA added it to the Known Exploited Vulnerabilities catalog on June 8, 2026 with a three-day remediation deadline. If you run an affected gateway with IKEv1, apply Check Point's hotfix now.

What is CVE-2026-50751?

CVE-2026-50751 is an improper authentication flaw (CWE-287) in Check Point's Remote Access VPN and Mobile Access components. The weakness lives in how certificate validation is handled during the deprecated IKEv1 key exchange.

In practical terms, an unauthenticated remote attacker can exploit a logic flaw in that validation process to establish a remote access VPN connection without a valid user password. The authentication step that's supposed to stand between an outside attacker and your VPN simply doesn't hold.

Bypassing authentication gets an attacker a VPN session, not automatic control of your internal network. Check Point notes that additional post-authentication activity is required to reach internal resources or escalate privileges. That's not reassurance to lean on, though. A foothold inside the VPN is exactly the starting point most intrusions need.

What products and versions are affected?

The vulnerability affects Check Point gateways configured to use the deprecated IKEv1 key exchange protocol. Specifically, Check Point lists these affected products:

  • Mobile Access / SSL VPN
  • Remote Access VPN
  • Spark Firewall

The affected version trains are:

  • R80.20.X (End of Support)
  • R80.40 (End of Support)
  • R81 (End of Support)
  • R81.10 (End of Support)
  • R81.10.X
  • R81.20
  • R82
  • R82.00.X
  • R82.10

The common thread is IKEv1. If your Remote Access or Mobile Access configuration relies on that deprecated key exchange, you're in scope. Several of the affected trains are already past end of support, which tends to correlate with gateways that haven't been touched in a while. Those are worth finding first.

How severe is it?

Severe enough that CISA gave federal agencies three days to act. CVE-2026-50751 carries a CVSS 3.1 base score of 9.3 (Critical), with the vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N. That score comes from CISA's ADP assessment; NVD's own enrichment was still pending at the time of writing, and Check Point independently lists the same 9.3 figure.

The vector tells the story. The attack is network-based, requires low attack complexity, needs no privileges, and needs no user interaction. There's nothing for an attacker to phish and no local access required. They just need to reach an exposed, IKEv1-configured gateway over the network.

This is also a Known Exploited Vulnerability. CISA added CVE-2026-50751 to the KEV catalog on June 8, 2026, with a remediation due date of June 11, 2026. KEV inclusion means confirmed exploitation, not theoretical risk.

Has this been exploited in the wild?

Yes. Check Point Research confirmed active exploitation and launched its investigation on June 4, 2026 after spotting suspicious activity. The earliest observed exploitation dates back to May 7, 2026, and exploitation attempts increased in early June.

So far the activity has been targeted rather than mass-scale. Check Point describes it as limited to a few dozen organizations globally. In at least one case, the intrusion led to confirmed post-compromise activity associated with a Qilin ransomware affiliate. Check Point assesses with medium confidence that the actor is financially motivated and observed overlap with Qilin ransomware tooling.

A few dozen victims is not a reason to relax. Targeted exploitation of a VPN auth bypass is a familiar precursor to ransomware, and the window between "limited and targeted" and "widely scanned" is usually short once a flaw is public and in the KEV catalog.

If you run an affected gateway, treat compromise as possible and investigate. Check Point recommends prioritizing forensic log audits and configuration reviews going back to the earliest observed exploitation date of May 7, 2026. Check Point's advisory includes indicators of compromise, including attacker IP addresses and file hashes, to support that review.

Are patches available?

Yes. Check Point has released a hotfix for all affected gateways. The remediation details, affected configurations, alternative mitigation steps, and exact upgrade guidance live in Check Point's support article sk185033.

For organizations that can't install the hotfix immediately, Check Point's advisory describes alternative mitigations through remote-access configuration settings. The companion issue CVE-2026-50752 is addressed in a separate article, sk185035.

Given the active exploitation and the three-day KEV deadline, the hotfix is the priority. Treat configuration-based mitigations as a stopgap, not a destination.

What should you do right now?

Move in this order:

  1. Find your affected gateways. Identify every internet-facing Check Point gateway running Remote Access VPN, Mobile Access, or SSL VPN, and flag any configured for IKEv1. Don't forget end-of-support trains like R80.40 and R81, which are easy to lose track of.
  2. Apply the hotfix. Install Check Point's update per sk185033 on every affected gateway. This is the durable fix.
  3. Apply interim mitigations if you can't patch yet. Use the remote-access configuration changes Check Point documents in the advisory as a temporary measure until the hotfix is in place.
  4. Hunt for compromise. Because exploitation is confirmed, review VPN authentication and connection logs back to May 7, 2026. Check Point's advisory provides indicators of compromise to look for, including known attacker IPs and file hashes.
  5. Reassess IKEv1. The root cause is a deprecated key exchange. If you don't have a hard requirement for IKEv1, this is a good moment to plan its retirement.

The Halo Security team is currently investigating detection coverage for this issue. In the meantime, continuous asset discovery helps you identify your VPN gateways that are exposed to the internet, and external vulnerability management can help you keep newly weaponized flaws like this one at the top of the queue.

FAQ

Is CVE-2026-50751 being actively exploited?

Yes. Check Point Research has confirmed active exploitation in the wild, with the earliest observed activity dating to May 7, 2026. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on June 8, 2026.

Do I need to patch immediately?

Yes, if you run an affected Check Point gateway configured for IKEv1. CISA set a remediation due date of June 11, 2026, and the vulnerability is under active exploitation, so applying Check Point's hotfix should be treated as urgent.

How can I tell if I'm affected?

You're affected if you run Check Point Remote Access VPN, Mobile Access / SSL VPN, or Spark Firewall on an affected version configured to use the deprecated IKEv1 key exchange. Check Point's advisory sk185033 lists the affected versions and configurations.

What is the difference between CVE-2026-50751 and CVE-2026-50752?

CVE-2026-50751 is the actively exploited authentication bypass on Remote Access and Mobile Access VPN, scored 9.3. CVE-2026-50752 is a separate, lower-severity issue (CVSS 7.4) that can allow a man-in-the-middle attack on site-to-site VPN connections through the same IKEv1 certificate validation logic. CVE-2026-50752 has not been observed exploited in the wild.

Is this linked to ransomware?

In at least one case, exploitation led to confirmed post-compromise activity associated with a Qilin ransomware affiliate. CISA's KEV entry lists known ransomware use as "Unknown," so treat the ransomware connection as a credible risk rather than a confirmed campaign-wide pattern.

Stay ahead of newly exploited vulnerabilities

When a VPN flaw lands in the KEV catalog with a three-day deadline, speed depends on knowing exactly which of your internet-facing assets are exposed. Halo Security pairs continuous asset discovery with external vulnerability management and CISA KEV prioritization, so flaws like CVE-2026-50751 surface at the top of your list. If you'd like to see your own external attack surface the way an attacker would, our team is happy to help.

For ongoing tracking of this and other actively exploited vulnerabilities, follow Halo Threat Intelligence, where our Surface Signal scoring rates real-world attack surface exposure for emerging CVEs.