Check Point IKEv1 VPN Authentication Bypass Exploitation and Response

Attackers are actively exploiting **CVE-2026-50751** in **Check Point Remote Access VPN** and **Mobile Access** deployments that still rely on **deprecated IKEv1**. The flaw is an authentication bypass that lets an unauthenticated remote attacker establish a remote access VPN session without a valid user password when exposed gateways accept legacy remote access clients and do not require a machine certificate. Available evidence places the earliest exploitation on **May 7, 2026**, with suspicious activity observed by **June 4** and a broader increase in activity during early June. The activity has been described as targeted rather than indiscriminate, with impact confirmed at **a few dozen organizations globally**. In at least one intrusion, the post-exploitation phase was associated with a **Qilin** ransomware affiliate, showing that initial VPN access can progress into follow-on compromise. During the response, **Check Point** also disclosed **CVE-2026-50752**, a related certificate-validation weakness affecting **site-to-site VPN** connections, but available evidence does not show real-world exploitation of that second issue. Security updates are available for affected **Security Gateways** and **Spark Firewalls**, and urgent mitigation guidance focuses on removing legacy remote access client support, switching Remote Access VPN authentication to **IKEv2 only**, requiring **Machine Certificate Authentication**, and enabling **IPS** signatures where immediate patching is not possible. The urgency increased further after **CVE-2026-50751** was added to the **Known Exploited Vulnerabilities** catalog with a **2026-06-11** remediation deadline for affected federal agencies. The exposure story therefore combines live exploitation, a limited but confirmed set of targeted victims, and a narrow set of legacy configuration conditions that defenders can audit and harden immediately. What remains unclear in available material is the full victim list, how many compromised environments progressed beyond initial VPN access, and whether any actor beyond the noted **Qilin**-linked post-exploitation case has operationalized the flaw.