"An attacker can bypass user authentication by exploiting a logic flow weakness in the Remote Access and Mobile Access certificate validation and establish a remote access VPN connection without a valid user password," Check Point said.
CVE-2026-50751: a critical auth bypass in IKEv1 deployments
Check Point on June 8 disclosed CVE-2026-50751, a critical authentication bypass flaw in its Remote Access VPN and Mobile Access solutions. The vulnerability, given a CVSS score of 9.3, affects deployments that are configured to use the deprecated IKEv1 key exchange protocol. According to Check Point, the bug stems from a logic flow weakness in certificate validation that can allow an attacker to establish a remote access VPN connection without supplying a valid user password.
Observed exploitation, timeline, and attribution
Check Point reported that the vulnerability has been exploited in the wild since May 7, with exploitation attempts increasing in early June. The vendor launched an investigation on June 4 and said attacks to date have been limited to a "few dozen targeted organizations" worldwide. In one documented case, an affiliate of the Qilin ransomware group exploited CVE-2026-50751 during "post-compromise activity."
On attribution, Check Point wrote that it assesses with "medium confidence" that the actor behind CVE-2026-50751 is financially motivated and "uses Qilin ransomware." The vendor also stated its belief that the threat actor infrastructure is exploiting other VPN-related vulnerabilities published by vendors including Palo Alto, Fortinet and F5.
Infrastructure and tactics: VPS hosting and deprecated IKEv1
Check Point said the affiliate used dedicated virtual private server (VPS) infrastructure to carry out the attacks. Some of the IP addresses observed by the vendor were hosted by Kaupo Cloud HK, Shock Hosting, and Vultr Holdings. The use of dedicated VPS infrastructure and the targeting of IKEv1-configured deployments were central to the observed exploitation pattern.
CVE-2026-50752: a secondary certificate-validation issue
While investigating CVE-2026-50751, Check Point discovered a second vulnerability, CVE-2026-50752, which it scored at 7.4. This issue also impacts certificate validation in deprecated IKEv1 key exchange; Check Point warned it "may allow man-in-the-middle interference with site-to-site VPN communications under specific conditions." The vendor added that it has not observed exploitation of CVE-2026-50752 in the wild but advised customers to apply updates to mitigate potential exposure.
What this means for security teams, procurement leaders, and affected enterprises
- Security teams and technologists: prioritize applying the published hotfixes immediately for affected products and review VPN configurations for continued use of deprecated IKEv1. Monitor logs for unauthorized remote access and look for indicators of the post-compromise activity described by Check Point.
- Procurement and network-architecture leaders: evaluate whether any deployed VPN endpoints still rely on IKEv1 and consider migration plans away from deprecated key-exchange protocols to reduce exposure to certificate-validation flaws.
- Affected enterprises and incident responders: because Check Point observed exploitation beginning May 7 and noted a cluster of "few dozen" targeted organizations, organizations that use the affected Remote Access and Mobile Access solutions should assume potential compromise if IKEv1 was in use and investigate accordingly.
Check Point's advisory closes with a clear operational step: customers are urged to update all affected products with the published hotfix. The vendor's findings — active exploitation tied to a Qilin affiliate, the reuse of VPS infrastructure hosted by named providers, and a belief that the same actor is targeting VPN flaws across multiple vendors — together underscore the immediate, cross-product risk posed by legacy protocol configurations. For organizations that still run IKEv1, the combination of a high-severity bypass (CVE-2026-50751) and a separate certificate-validation weakness (CVE-2026-50752) offers a concrete signal: patch now, and re-evaluate any reliance on deprecated VPN key exchange mechanisms.
