Check Point, a prominent name in cybersecurity, has raised alarms about the active exploitation of a severe vulnerability impacting Remote Access VPN and Mobile Access setups utilizing the obsolete IKEv1 key exchange protocol. This vulnerability is cataloged as CVE-2026-50751 and has been assigned a CVSS score of 9.3, indicating its critical nature.
Details of the Exploited Vulnerability
The flaw identified by Check Point involves a logic weakness in certificate validation. This loophole enables an unauthenticated remote adversary to bypass user authentication, establishing a VPN connection without the need for a valid user password. Although authentication can be bypassed, further activity post-authentication is required for attackers to access internal systems or escalate their privileges.
Products and versions affected by this vulnerability include Security Gateways R82.10 Jumbo Hotfix Take 19 or below, R82 Jumbo Hotfix Take 103 or below, R81.20 Jumbo Hotfix Take 141 or below, and older versions such as R81.10, R81, and R80.40. Also affected are the Spark Firewalls: R80.20.X, R81.10.X, and R82.00.X.
Exploitation Conditions and Observations
Exploitation of this vulnerability necessitates specific conditions: VPN Remote Access or Mobile Access must be enabled, IKEv1 must be active for remote access, legacy Remote Access clients must be accepted, and no machine certificate should be required for connections. Check Point first detected suspicious activities on June 4, 2026, though the exploitation commenced much earlier, around May 7, 2026, with a significant increase in activity noted this month.
The attacks have primarily targeted a limited number of organizations worldwide. In at least one incident, the exploitation was linked to a Qilin ransomware affiliate, suggesting a broader pattern of financially driven cyber threats. Check Point also suspects the use of the Tox protocol for communication by these threat actors, which is a common tactic among ransomware operators.
Infrastructure and Additional Vulnerabilities
The attackers employ virtual private server (VPS) infrastructure, often geolocating servers to specific countries to target organizations within those regions. Upon gaining initial access, they attempt to download malicious ELF files from infrastructure under their control.
In further examinations, a secondary vulnerability, CVE-2026-50752, was discovered. This flaw, with a CVSS score of 7.40, could enable adversary-in-the-middle attacks on VPN site-to-site connections. However, there is currently no evidence indicating this vulnerability has been exploited in real-world scenarios.
The situation underscores the ongoing threat landscape faced by organizations relying on outdated protocols and highlights the importance of staying updated with security patches and employing robust network security measures.
