- June 8, 2026
Check Point VPN Authentication Bypass Under Active Exploitation (CVE-2026-50751 CVE-2026-50752)
On June 8th 2026, Check Point Research identified two CVEs (CVE-2026-50751, CVE-2026-50752) which can be abused to bypass Checkpoint VPN Authentication services, allowing threat actors to access network devices and traffic behind the VPN. These vulnerabilities were found under active exploitation in the wild by attackers that Check Point research attributed with medium confidence to be Qilin ransomware affiliates.
Executive Summary
On June 8th 2026, Check Point Research identified two CVEs (CVE-2026-50751, CVE-2026-50752) which can be abused to bypass Checkpoint VPN Authentication services, allowing threat actors to access network devices and traffic behind the VPN. These vulnerabilities were found under active exploitation in the wild by attackers that Check Point research attributed with medium confidence to be Qilin ransomware affiliates.
This vulnerability affects Check Point Remote Access VPN, and Mobile Access endpoints that are configured to use IKEv1 for their key exchange. At the time of writing, the control plane is unaffected by attackers who have exploited this vulnerability, however resources behind the VPN would be accessible to attackers who successfully exploit the vulnerability.
Affected Systems or Products
Product | Affected Version | Fixed Version |
|---|---|---|
Mobile Access / SSL VPN, Remote Access VPN, Spark Firewall | R80.20.X (EOS), R80.40 (EOS), R81 (EOS), R81.10 (EOS), R81.10.X, R81.20, R82, R82.00.X, R82.10 | sk185033 |
Security Gateways, Spark Firewall | R80.20.X (EOS), R80.40 (EOS), R81 (EOS), R81.10 (EOS), R81.10.X, R81.20, R82, R82.00.X, R82.10 | sk185035 |
A given device will be affected if the following configurations are applied:
VPN Remote Access or Mobile Access is enabled
VPN site-to-site is enabled
IKEv1 is enabled for remote access
Gateways accept legacy Remote Access clients
Gateways do not demand a machine certificate for connections
Gateways participating in the VPN community use certificate-based authentication
Pre-shared key authentication remains unaffected
Gateways are not dynamic
The community is not a Large Scale VPN (LSV) community.
It should be noted that IKEv1 is deprecated.
Mitigations / Workarounds
Active exploitation has been confirmed in the wild, and Check Point has released hotfixes for the two vulnerabilities, sk185003 and sk185035. Affected organizations should apply these patches as soon as possible.
If applying the hotfix is not an immediate option, Check Point Research has advised disabling the IKEv1 for all Check Point Security Gateways and Remote Access communities, which is possible within the Check Point SmartConsole under VPN Community, Encryption > General > Encryption Method and ensuring IKEv2 is the only accepted key exchange.
Doubly so, Check Point also advises that users remove support for legacy Remote Access client connections for Check Point VPNs by accessing the Check Point SmartConsole and opening the Security Gateway object properties, selecting VPN Clients > Authentication, and unchecking the “Allow older clients to connect to this gateway" on any affected devices.
Finally, Check Point also recommends configuring mandatory certificate authentication also in the SmartConsole, under Security Gateway properties. Once there, selecting VPN Clients > Authentication, and selecting Mandatory under Machine Certificate Authentication.
Patches
Check Point recommends updating all affected Security Gateways to the released subsequent hotfix. They offer hotfixes for versions R81.20, R82, and R82.10. The hotfix versions are as follows:
Hotfix Version Numbers |
|---|
R82.10 Jumbo Hotfix Accumulator Take 19 |
R82.10 Jumbo Hotfix Accumulator Take 6 |
R82 Jumbo Hotfix Accumulator Take 103 |
R82 Jumbo Hotfix Accumulator Take 91 |
R81.20 Jumbo Hotfix Accumulator Take 141 |
R81.20 Jumbo Hotfix Accumulator Take 127 |
R81.20 Jumbo Hotfix Accumulator Take 120 |
R81.20 Jumbo Hotfix Accumulator Take 113 |
Indicators of Compromise
Check Point Research has medium confidence that the attacker is affiliated with Qilin as they use the Qilin ransomware toolkit. Qilin is financially motivated and may be exploiting other VPN vulnerabilities, including the ones published recently by Palo Alto, Fortinet, and F5. Check Point Research reported the use of TOX Protocol for communications. They also found that the actor was using a dedicated VPS to orchestrate the attacks, finding that the IPs led back to Kaupo Cloud HK, Shock Hosting, and Vultr Holdings. The following IoCs are associated with Qilin Linux Ransomware Binaries, and the servers from which the TA tried to download malicious second stage payloads from:
IP Addresses |
|---|
45.77.149[.]152 |
209.182.225[.]136 |
38.60.157[.]139 |
162.33.177[.]101 |
45.76.26[.]42 |
144.208.127[.]155 |
38.54.88[.]201 |
38.54.107[.]167 |
66.42.99[.]200 |
File Hashes |
|---|
52fda5c1b9704544f32ee98d9060e689 |
51d39aa39478beeac94f2d12f682ecce |
Technical Details
No in-depth technical details or public proof of concept exploit code samples were available at time of writing. Official documentation from Checkpoint describes the root flaw as a “logic flow weakness in the Remote Access and Mobile Access certificate validation.”
It should be noted that the vulnerability would grant threat actors network access to VPN connected resources, and that follow-up exploitation would vary greatly on what a given organization has internally connected to the VPN.
How Beazley Security is responding
Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.
If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.