"We have observed indications that exploitation has been limited to a relatively small number of targeted organizations (several dozen globally), primarily over the past few days," Check Point VP of research Lotem Finkelstein wrote — a succinct admission that attackers moved on a weakness before a vendor patch was available.
CVE-2026-50751: an authentication-bypass in Remote Access and Mobile Access
Check Point released an emergency fix on Monday for CVE-2026-50751, a critical authentication bypass that affects Remote Access VPN and Mobile Access deployments. The vendor says the root cause is a logic-flow weakness in the certificate validation process. That weakness can allow a remote attacker to bypass authentication and establish a remote access VPN connection without a user password.
The advisory names the affected components precisely: Mobile Access/SSL VPNs, Remote Access VPNs, and Spark Firewalls that are configured to use the deprecated IKEv1 key exchange protocol. Check Point provided hotfixes and alternative mitigation options, and urged customers running vulnerable gateways and firewalls to apply them.
CVE-2026-50752: a site-to-site man-in-the-middle risk discovered during the probe
While investigating CVE-2026-50751 and the affected VPN components, Check Point discovered a second flaw, CVE-2026-50752. This vulnerability resides in the certificate validation logic of the deprecated IKEv1 key exchange method on Security Gateways and Spark Firewall products, and it can lead to man-in-the-middle attacks against VPN site-to-site configurations.
Check Point reports it has not received any reports of in-the-wild exploitation of CVE-2026-50752, but included the bug in its advisories and mitigation guidance alongside the emergency fix for CVE-2026-50751.
Timeline and observed exploitation: May 7 to early June
According to Check Point, exploitation attempts against CVE-2026-50751 began on May 7 and activity picked up in early June. The vendor says it spotted suspicious activity and began investigating the zero-day on June 4. The gap between first observed attacks and the emergency remediation means, in Check Point’s account, attackers had roughly a month-long window to exploit the flaw.
Investigators saw exploitation limited to "several dozen" targeted organizations globally, and observed post-compromise activity in at least one case that the vendor associates with a Qilin ransomware affiliate. Lotem Finkelstein additionally warned that the same ransomware affiliate is likely exploiting other VPN-related vulnerabilities in Palo Alto Networks, Fortinet, and F5 products.
Indicators, logs and the vendor’s recommended hunt window
Check Point published a list of indicators of compromise with its advisories. The vendor included attacker IP addresses and recommended that customers search Check Point SmartConsole logs for possible VPN certificate authentication attempts tied to the observed attacker infrastructure and certificate subject names.
The recommended log review window is explicit: customers should examine events for at least May 7 through June 5. That guidance reflects the vendor’s timeline of initial activity and the period when exploitation reportedly increased.
What this means for technologists and security teams, affected enterprises and ransom groups
- Technologists and security teams: Apply the emergency hotfixes and the alternative mitigations Check Point published; search SmartConsole logs for the May 7–June 5 window and compare against the vendor’s indicators of compromise and attacker IP list.
- Affected enterprises and procurement leaders: Identify Remote Access, Mobile Access, and Spark Firewall instances using deprecated IKEv1 and prioritize patching or mitigation for those systems; expect to consult the vendor advisories for configuration-specific instructions.
- Adversaries and ransomware affiliates: Check Point observed at least one instance of post-compromise activity tied to a Qilin ransomware affiliate, and the vendor warned that the same actors may be exploiting VPN-related flaws across other vendors’ products.
Check Point’s sequence — initial detection, a public admission that exploitation was limited but occurred, and a bundled discovery of a second related vulnerability — leaves a clear, practical imperative: organizations with the named products and any use of deprecated IKEv1 should treat the vendor’s hotfixes and log-search window as operational priorities. For defenders, the path is explicit; for attackers, the advisories confirm what targeted exploitation can yield.
Original story: https://www.theregister.com/cyber-crime/2026/06/08/attackers-had-month-long-head-start-on-patched-check-point-vpn-zero-day/5252438
