Check Point Research has identified the active exploitation of a significant security flaw, CVE-2026-50751, affecting Check Point’s Remote Access VPN and Mobile Access products. This vulnerability, rated 9.3 on the CVSS scale, is being used by cybercriminals associated with the Qilin ransomware group to compromise systems.
Vulnerability Details and Impact
The vulnerability targets configurations using the outdated IKEv1 key exchange protocol. Exploiting a weakness in certificate validation, attackers can initiate a VPN session without a valid password, bypassing authentication entirely. The affected products include Mobile Access/SSL VPN, Remote Access VPN, and Spark Firewall, spanning versions from R80.20.X to R82.10.
While the initial breach occurs through this authentication bypass, further actions are necessary for attackers to access internal systems or elevate privileges. Check Point began investigating on June 4, 2026, following unusual activity, with exploitation efforts traced back to May 7, 2026.
Exploitation and Response
Exploitation incidents surged in early June 2026, impacting several dozen organizations worldwide. Security teams are advised to prioritize forensic audits of logs and review configurations from the earliest observed exploitation date. The attackers are believed to be financially motivated, deploying Qilin Linux ransomware binaries and attempting to download malicious ELF files from their controlled infrastructure.
The threat actors likely utilize the Tox protocol for command-and-control, a method frequently linked to ransomware operations. The same attackers are suspected of exploiting VPN vulnerabilities in products by Palo Alto, Fortinet, and F5. Their infrastructure was found across hosting services like Kaupo Cloud HK, Shock Hosting, and Vultr Holdings, with server locations often matching victim locations.
Related Vulnerability and Mitigation Measures
During the investigation of CVE-2026-50751, a related flaw, CVE-2026-50752, was discovered by Check Point’s AI code security platform, BLAST. This vulnerability affects IKEv1 certificate validation, potentially enabling man-in-the-middle attacks on site-to-site VPN communications. While not yet exploited, customers are strongly advised to apply updates promptly.
Check Point recommends immediate application of their hotfix for affected Security Gateways. Those unable to patch immediately should consider disabling support for legacy remote access clients, configuring authentication to IKEv2, enforcing machine certificate authentication, and enabling IPS with the latest signatures.
For further updates, follow Check Point on Google News, LinkedIn, and X.
