Check Point Research has uncovered active exploitation of CVE-2026-50751, a critical authentication bypass vulnerability with a CVSS score of 9.3, affecting Check Point Remote Access VPN and Mobile Access deployments. Threat intelligence links post-compromise activity to the Qilin ransomware gang, making this one of the most urgent vulnerabilities disclosed in 2026.
What Is CVE-2026-50751?
CVE-2026-50751 targets deployments configured to use the deprecated IKEv1 key exchange protocol. By exploiting a logic flaw in certificate validation, an unauthenticated remote attacker can establish a full VPN session without a valid user password — effectively bypassing all authentication requirements. The flaw affects Mobile Access / SSL VPN, Remote Access VPN, and Spark Firewall products across versions R80.20.X through R82.10.
While initial access is gained through the authentication bypass, additional post-authentication steps are required to access internal resources or escalate privileges within the network.
Active Exploitation Timeline
Check Point Research launched its investigation on June 4, 2026, following indications of suspicious activity. Forensic analysis traced the earliest exploitation attempts back to May 7, 2026, suggesting the vulnerability had been actively leveraged for over a month before disclosure.
Exploitation attempts escalated sharply in early June 2026, targeting a few dozen organizations globally. Incident response teams should prioritize forensic log audits and configuration reviews beginning from the earliest observed exploitation date.
Qilin Ransomware Connection
The threat actor behind the exploitation is assessed with medium confidence to be financially motivated. Investigators identified Qilin Linux ransomware binaries on compromised systems and observed attempts to download malicious ELF files from actor-controlled infrastructure.
The actor likely uses the Tox protocol for command-and-control (C2) communication, a pattern commonly associated with ransomware operators. Notably, the same threat actor is believed to be simultaneously exploiting VPN vulnerabilities disclosed by Palo Alto, Fortinet, and F5, indicating a broad opportunistic campaign targeting enterprise network perimeters.
Attacker infrastructure was hosted across Kaupo Cloud HK, Shock Hosting, and Vultr Holdings, with VPS geolocation correlated to victim geography in several cases.
Second Related Vulnerability: CVE-2026-50752
During the CVE-2026-50751 investigation, Check Point’s agentic AI code security platform BLAST identified a related flaw: CVE-2026-50752 (CVSS 7.4). This vulnerability impacts certificate validation in the deprecated IKEv1 key exchange and can enable man-in-the-middle (MitM) interference on site-to-site VPN communications under specific conditions. While not yet observed in active exploitation, customers are urged to apply updates proactively.
Indicators of Compromise (IOCs)
The following malicious IP addresses have been confirmed as attacker infrastructure:
- 45.77.149[.]152
- 209.182.225[.]136
- 38.60.157[.]139
- 162.33.177[.]101
- 45.76.26[.]42
- 144.208.127[.]155
- 38.54.88[.]201
- 38.54.107[.]167
- 66.42.99[.]200
Malicious file hashes (MD5):
52fda5c1b9704544f32ee98d9060e68951d39aa39478beeac94f2d12f682ecce
Recommended Mitigations
Check Point strongly urges all customers on affected versions to immediately apply the released hotfix for their Security Gateways. For organizations unable to patch instantly, the following interim steps are recommended:
- Remove support for legacy remote access clients
- Configure Remote Access VPN Authentication to IKEv2 only
- Set Machine Certificate Authentication as mandatory
- Enable IPS and download the latest signatures
Given the active ransomware deployment observed in the wild, patching should be treated as an emergency priority. Organizations should assume that any Check Point VPN device still using IKEv1 may have already been targeted and perform a thorough incident review.