Check Point has warned of an active exploit of a critical vulnerability affecting Remote Access VPN and Mobile Access deployments configured to use the deprecated IKEv1 key exchange protocol.
Vulnerability, tracked as CVE-2026-50751 (CVSS Score: 9.3), is a logic flow vulnerability in certificate authentication that allows an unauthorized remote attacker to bypass user authentication and establish a remote VPN connection without a valid user password.
“By exploiting a logical flaw in certificate authentication, an attacker can establish a VPN session without having a valid password, effectively bypassing authentication requirements,” Check Point said. “Additional post-authentication work is required to access internal resources or escalate privileges.”
The outage affects the following products and versions –
- Security Gateways R82.10 Jumbo Hotfix Take 19 or below, R82 Jumbo Hotfix Take 103 or below, R81.20 Jumbo Hotfix Take 141 or below, R81.10 (EOS), R81 (EOS), and R80.40 (EOS)
- Spark Firewalls: R80.20.X (EOS), R81.10.X, and R82.00.X
Successful exploitation requires the following conditions to be met –
- VPN Remote Access or Mobile Access is enabled
- IKEv1 is enabled for remote access
- Gateways accept legacy Remote Access clients
- Gateways do not require a machine certificate to connect
An Israeli cybersecurity company said it first noticed indications of suspicious activity on June 4, 2026, with the latest exploit seen since May 7, 2026. Exploit attempts are said to have increased significantly since this month.
The exploit, Check Point added, was limited to “a few targeted organizations around the world.” In one case, the post-exploit phase was linked to the Qilin ransomware affiliate.
“We believe that this infrastructure is used by malicious actors to exploit other VPN-related vulnerabilities like the one published by Palo Alto. [Networks]Fortinet, and F5,” it noted. “We identified indicators that suggest the actor may be using the Tox protocol to communicate, a pattern often associated with financially motivated ransomware actors.”
The main feature is the use of a virtual private server (VPS) to run the attack. Specifically, this involves relying on VPS servers deployed in a specific country to target organizations within their borders. Once access was gained, attackers were found to be attempting to download malicious ELF files from actor-controlled infrastructure.
Some aspects of these efforts are consistent with a report from Ctrl-Alt-Intel last month, which highlighted the ransomware team’s abuse of corporate VPN devices to gain access to them for the first time.
Further review of the affected VPN components revealed a second vulnerability, CVE-2026-50752 (CVSS score: 7.40), which could allow adversary-in-the-middle (AitM) attacks on site-to-site VPN connections. There is no evidence that the flaw has been exploited in real-world attacks.
