Emerging ThreatsMalware & Ransomware

Check Point Exposes VPN Zero-Day Link to Qilin Ransomware Gang

Analyst 207||Source: BleepingComputer
Network equipment and router setup in a data center or network operations room.

The attacks began on May 7, surged in early June, and have affected only "a few dozen" organizations worldwide, with at least one incident linked to the Qilin ransomware operation.

CVE-2026-50751: an authentication bypass in legacy IKEv1 Remote Access and Mobile Access

Israeli cybersecurity firm Check Point released security updates after detecting active exploitation of a critical vulnerability it tracked as CVE-2026-50751. "Check Point Research has identified active exploitation of CVE-2026-50751, a critical authentication bypass vulnerability affecting Check Point Remote Access VPN and Mobile Access deployments configured to use the deprecated IKEv1 key exchange protocol," the company warned.

According to Check Point, an unauthenticated, remote attacker can exploit the flaw to bypass authentication on targeted Mobile Access / SSL VPNs, Remote Access VPNs, or Spark firewalls and establish a remote access VPN connection. The vendor emphasized the flaw affects only deployments that are configured to use the deprecated IKEv1 key exchange protocol, where security gateways accept legacy Remote Access clients and do not require a machine certificate for connections.

Observed exploitation: limited scale but confirmed ransomware connection

Check Point said exploitation was limited to "a few dozen targeted organizations globally." The company additionally reported that one observed case involved "confirmed post-compromise activity associated with Qilin ransomware affiliate." The timeline the vendor provided — activity starting May 7 and intensifying in early June — places the discovery and response in close sequence to the appearance of attacks in the wild.

CVE-2026-50752: certificate-validation weakness found during the investigation

While investigating CVE-2026-50751, Check Point discovered a second vulnerability, tracked as CVE-2026-50752. That second issue affects certificate validation in deprecated IKEv1 key exchange and can be exploited in man-in-the-middle attacks on site-to-site VPN connections. Check Point reported it has not yet found evidence of CVE-2026-50752 exploitation in the wild, but advised customers to apply updates to mitigate potential exposure.

Security updates and practical mitigations from Check Point

Check Point released security updates to patch CVE-2026-50751 and advised immediate application of those updates. For organizations unable to patch immediately, the company published specific mitigation steps intended to reduce exposure while a fix is applied:

  • Remove support for the legacy remote access client.
  • Configure global properties for Remote Access VPN Authentication to IKEv2 only.
  • Set Machine Certificate Authentication as mandatory.
  • Enable IPS and download the signatures.

Check Point "strongly encouraged" customers using IKEv1 key exchange protocol to apply the available security updates immediately.

What this means for technologists, procurement leaders, and Qilin ransomware affiliates

  • Technologists and security teams: Systems configured to accept legacy Remote Access clients and using IKEv1 are explicitly vulnerable; teams must prioritize applying the published patches, or follow Check Point's mitigations—switching authentication to IKEv2, enforcing machine certificates, and enabling IPS signatures—until updates are deployed.
  • Procurement and operations leaders at affected enterprises: The advisory ties exposure to specific configuration choices (continued support for IKEv1 and legacy clients). Procurement and operations should review VPN configuration defaults and the use of deprecated key-exchange protocols when approving appliances or remote-access deployments.
  • Qilin ransomware affiliates and other adversaries: Check Point confirmed at least one case with post-compromise activity associated with a Qilin affiliate, showing that successful exploitation of a remote-access bypass can lead to downstream ransomware activity. The discovery of a second certificate-validation flaw (CVE-2026-50752) underscores additional avenues attackers could attempt if systems remain on deprecated IKEv1 settings.

The immediate facts are straightforward: Check Point released patches for a critical authentication-bypass bug that applies only to IKEv1 configurations, observed exploitation against a limited set of targets beginning May 7, and linked one confirmed post-compromise case to Qilin ransomware activity. A second, related certificate-validation flaw was found in the same legacy IKEv1 code path and—while not yet seen in the wild—was also recommended for remediation.

For organizations that still accept legacy remote access clients or permit IKEv1, the concrete next step is clear from Check Point's advisory: apply the security updates now, or apply the temporary mitigations the vendor published. Whether CVE-2026-50752 will surface in active exploitation remains an open question the vendor flagged; until that is resolved, the safest posture is to remove reliance on deprecated IKEv1 settings.

Source: Check Point links VPN zero-day attacks to Qilin ransomware gang — BleepingComputer

Authentication BypassEmerging ThreatsNation-StateRemote AccessMfa BypassRansomware OperationsVPN Zero-DayQilin RansomwareCVE-2026-50751IKEv1
Related Intelligence

Continue Reading

Dimly-lit data center with rows of computer workstations and server racks.

Open Source Faces Hard Fork Amid AI-Fueled Security Crisis

The open source community is facing a daunting security crisis fueled by AI, giving rise to a new category of threat dubbed "Mythos" - a complex chain of low-level issues that can be combined to create devastating attacks. This emerging threat is not just a single bug or false positive, but a game-changing phenomenon that demands immediate attention.

Analyst 207
Security analysts work at computer stations in a dimly lit operations center.

AI Phishing Overwhelms SOCs, Exposing Gaps in Alert Triage

AI has transformed phishing from a numbers game into a volume machine, allowing attackers to churn out convincing lures in minutes and flood security teams with a tidal wave of alerts to sift through. This overwhelming surge is exposing gaps in alert triage, putting Tier 1 analysts to the test.

Analyst 207
Smartphone with blank screen on a neutral table in a quiet room.

Meta Accuses NSO Group of Breaching WhatsApp Injunction

Meta is taking a stand against NSO Group, accusing the Israeli spyware vendor of breaching a WhatsApp injunction by targeting users with social engineering attempts. The company claims it successfully thwarted these malicious efforts, but is now asking a federal judge to hold NSO Group in contempt.

Analyst 207
University office with computer on desk, blurred to highlight background.

Oxford University Exposes Data Breach After Career Platform Hack

The University of Oxford recently alerted users to a data breach on its CareerConnect platform, which occurred on May 28 when attackers gained access to sensitive information, including names, email addresses, and encrypted passwords. To protect users, locally set passwords have been invalidated and affected users will be prompted to reset their passwords upon next login.

Analyst 207