CVE-2026-50751

What is Check Point Security Gateway?

Check Point Security Gateway is a widely deployed enterprise network security platform combining firewall, intrusion prevention, VPN, and threat intelligence. The Remote Access VPN and Mobile Access blade — the affected component — allows employees and contractors to connect securely to corporate networks from outside the perimeter. Check Point Security Gateways are deployed at the perimeter of government agencies, financial institutions, healthcare organizations, and large enterprises worldwide, making them a perennial high-value target for ransomware operators and nation-state actors seeking initial network access.

Overview

CVE-2026-50751 is a critical authentication bypass in Check Point Security Gateway's IKEv1 (Internet Key Exchange version 1) implementation, affecting the Remote Access VPN and Mobile Access blades. A logic flaw in the IKEv1 certificate validation flow allows an unauthenticated remote attacker to bypass user authentication and establish a VPN session without possessing a valid password. Check Point discovered the vulnerability during incident response to active exploitation and confirmed it has been used in ransomware attacks. CISA issued an unusually short 3-day remediation deadline (June 11, 2026) reflecting both the critical severity and active ransomware use. A companion vulnerability, CVE-2026-50752, is addressed in the same hotfix.

Affected Versions

Technical Details

The vulnerability is a logic flaw in Check Point's implementation of the IKEv1 key exchange protocol used by legacy Remote Access VPN and Mobile Access clients. During IKEv1 Phase 1 negotiation with certificate-based authentication, a conditional flow error in the certificate validation logic allows the exchange to succeed — establishing an authenticated VPN session — without the connecting client possessing a valid password or correctly signed certificate (CWE-287: improper authentication).

The flaw manifests only when gateways are configured to accept legacy Remote Access or Mobile Access clients using IKEv1 without mandating machine certificates for all connecting clients. Once an attacker establishes the VPN session, they gain a network-level foothold and must still perform post-authentication privilege escalation or lateral movement to reach internal resources.

Attack characteristics:

• Attack vector: Network (internet-facing VPN endpoint)
• Authentication required: None
• User interaction: None
• CVSS scope: Changed — impact crosses from the external attacker into the protected internal network segment

Discovery

Discovered internally by Check Point during incident response to active exploitation beginning May 7, 2026. No external researcher is credited. The vulnerability was identified as a zero-day already being used in attacks when Check Point began their investigation.

Exploitation Context

• First exploitation: May 7, 2026 — confirmed by Check Point incident response.
• Scale: "A few dozen" targeted organizations worldwide — a targeted campaign, not opportunistic mass exploitation.
• Ransomware: At least one confirmed case of Qilin ransomware deployment by a Qilin affiliate following successful VPN authentication bypass.
• Threat actor: Assessed with medium confidence as financially motivated; attacker infrastructure operated on Kaupo Cloud HK, Shock Hosting, and Vultr Holdings VPS providers.
• Attacker IPs (9 identified): 45.77.149[.]152, 209.182.225[.]136, 38.60.157[.]139, and six additional IPs listed in Check Point's IoC guidance.
• Post-exploitation payloads (MD5): 52fda5c1b9704544f32ee98d9060e689, 51d39aa39478beeac94f2d12f682ecce (ELF binaries retrieved from attacker-controlled servers).
• CISA's 3-day patch deadline (June 8 → June 11) is one of the shortest ever issued under BOD 22-01, reflecting the combination of critical severity, confirmed ransomware use, and active targeted exploitation.

Remediation

1. Apply the hotfix immediately for your gateway version from Check Point SK185033. Hotfixes are available for all in-support versions (R81.20, R82.x, Spark).
2. End-of-support versions (R80.20.X, R80.40, R81, R81.10.X): Upgrade to a supported release before applying the hotfix. These versions receive no direct fix.
3. Immediate workaround if patching is delayed: disable IKEv1 for Remote Access and Mobile Access in the gateway configuration and migrate all clients to IKEv2. This eliminates the vulnerable code path entirely.
4. Require machine certificates for all Remote Access VPN clients — this eliminates the vulnerable authentication path even on unpatched gateways.
5. Block known attacker IPs (see SK185033 IoC list) and scan endpoint detection tools for the published payload hashes.
6. Hunt for anomalous VPN sessions: Look for sessions from unexpected source IPs, sessions without a corresponding successful password authentication event, or VPN connections from unexpected client software versions.
7. Also review CVE-2026-50752, a companion vulnerability addressed in the same hotfix. Applying the hotfix covers both.