Organisations using Check Point Remote Access VPN, Mobile Access, or Spark Firewall solutions are advised to take immediate action following confirmed active exploitation of CVE-2026-50751, a critical authentication bypass vulnerability. This flaw, rated with a high severity score of 9.3, affects environments configured to use the deprecated IKEv1 key exchange protocol and allows unauthenticated attackers to gain VPN access without valid user credentials.

The vulnerability originates from a logic flaw in certificate validation within affected VPN components. By abusing this weakness, an attacker can establish a remote VPN session without presenting a legitimate password. While additional steps are required after initial access to move laterally or escalate privileges, this bypass significantly lowers the barrier for unauthorized entry into corporate networks, effectively undermining perimeter defenses.

Observed attacks have been limited but targeted, impacting several dozen organisations globally. Check Point identified suspicious activity beginning on June 4, 2026, with confirmed exploitation dating back to at least May 7, 2026. Notably, one incident demonstrated post-compromise activity linked to a Qilin ransomware affiliate, indicating that threat actors are leveraging this vulnerability as an initial access vector in financially motivated operations.

The threat actor associated with these attacks appears to operate a structured infrastructure using virtual private servers hosted across multiple providers, including Kaupo Cloud HK, Shock Hosting, and Vultr. In some cases, attacker infrastructure geolocation correlated with that of the targeted victim, suggesting deliberate targeting strategies. Indicators also suggest the use of the Tox communication protocol, commonly associated with ransomware groups seeking to evade monitoring, and the use of tools such as Rclone for data exfiltration.

Following successful exploitation, attackers have been observed attempting to deploy Linux-based ransomware payloads, including ELF binaries associated with Qilin ransomware campaigns. This demonstrates a clear progression from initial access to potential data theft and encryption, highlighting the urgency of detection and response. Furthermore, the same actor infrastructure is believed to be actively probing or exploiting other VPN vulnerabilities across multiple vendors, including Palo Alto Networks, Fortinet, and F5, suggesting a broader campaign targeting remote access technologies.

In addition to CVE-2026-50751, Check Point identified a related vulnerability, CVE-2026-50752, during its investigation. This secondary issue affects certificate validation in IKEv1 and could enable man-in-the-middle attacks on site-to-site VPN connections under specific conditions. Although there is no evidence of exploitation in the wild for this flaw, its existence reinforces the risks associated with legacy protocol usage and outdated configurations.

Organisations should assume a heightened risk posture, particularly if they continue to use deprecated IKEv1 configurations. Immediate remediation is strongly recommended through application of vendor-provided hotfixes and upgrades to supported software versions. Where patching cannot be immediately performed, risk can be reduced by disabling IKEv1, removing legacy Remote Access client support, and enforcing stricter authentication controls such as mandatory machine certificates for VPN connections.

Security teams are advised to initiate comprehensive forensic reviews of authentication logs and VPN access records dating back to early May 2026. Indicators of compromise provided by Check Point, including suspicious IP addresses and file hashes, should be used to identify potential intrusions. Special attention should be paid to anomalous VPN sessions, unexpected geographic access patterns, and unusual data transfer activity that could signal ongoing compromise or data exfiltration.

Given the involvement of ransomware operators, organisations should also validate the integrity of critical systems, review backup availability, and ensure incident response plans are ready for execution. Early detection and containment remain essential to preventing escalation to full ransomware deployment.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively get in touchto find out how you can protect your organisation. 

 

Contact Us