CybersecurityVulnerability Management

Check Point VPN Flaw Exposed, Bypasses Passwords in IKEv1 Setups

Analyst 207||Source: TheHackerNews
Dimly lit network operations center with a single laptop screen displaying a VPN connection interface.

"By exploiting a logic flaw in certificate validation, an attacker can establish a VPN session without possession of a valid password, effectively bypassing authentication requirements," Check Point said.

CVE-2026-50751 and the Check Point products affected

Check Point has disclosed a critical vulnerability, tracked as CVE-2026-50751 (CVSS score: 9.3), that impacts Remote Access VPN and Mobile Access deployments configured to use the deprecated IKEv1 key exchange protocol. The flaw is a logic flow weakness in certificate validation that lets an unauthenticated remote attacker bypass user authentication and establish a VPN connection without a valid user password. Check Point lists the affected releases and lines explicitly: Security Gateways R82.10 Jumbo Hotfix Take 19 or below, R82 Jumbo Hotfix Take 103 or below, R81.20 Jumbo Hotfix Take 141 or below, R81.10 (EOS), R81 (EOS), and R80.40 (EOS); and Spark Firewalls R80.20.X (EOS), R81.10.X, and R82.00.X.

Conditions that must be present for an attacker to succeed

Successful exploitation, Check Point says, requires a specific configuration profile. The following conditions must hold:

  • VPN Remote Access or Mobile Access is enabled;
  • IKEv1 is enabled for remote access;
  • Gateways accept legacy Remote Access clients;
  • Gateways do not demand a machine certificate for connections.

Even after a session is established without a password, Check Point notes that "additional post-authentication activity is required to access internal resources or escalate privileges." In short: bypassing the password is only the first step in a broader intrusion chain.

Observed exploitation activity and attacker behavior

Check Point reported first observing indications of suspicious activity on June 4, 2026, with the earliest observed exploitation dating back to May 7, 2026. The company says exploitation efforts "ramped up starting this month" and that activity to date has been limited to a "few dozen targeted organizations globally." In one instance the post-exploitation phase has been associated with a Qilin ransomware affiliate.

Analysis by Check Point of the malicious infrastructure revealed several operational patterns: the use of virtual private server (VPS) infrastructure geolocated to a particular country to target organizations within that country's borders; attempts to download malicious ELF files from actor-controlled infrastructure after access was achieved; and indicators suggesting use of the Tox protocol for communication — a pattern Check Point associates with financially motivated ransomware actors. Check Point also flagged indicators that the actor may be exploiting other VPN-related vulnerabilities published by Palo Alto Networks, Fortinet, and F5. Some aspects of the activity overlap with a report from Ctrl-Alt-Intel last month that highlighted a ransomware crew's abuse of corporate VPN appliances for initial access.

CVE-2026-50752: a second issue affecting site-to-site VPNs (no evidence of exploitation)

During additional review of the affected VPN components, Check Point identified a second vulnerability, CVE-2026-50752 (CVSS score: 7.40), which may allow an adversary-in-the-middle (AitM) attack on VPN site-to-site connections. Check Point stated there is no evidence this second flaw has been exploited in real-world attacks.

What this means for technologists, affected enterprises, and policymakers

  • Technologists and security teams: Teams responsible for Remote Access and Mobile Access should verify whether IKEv1 is enabled, whether gateways accept legacy Remote Access clients, and whether gate- ways demand machine certificates — the four conditions Check Point says enable exploitation. The specific product releases and hotfix take levels listed by Check Point provide a concrete inventory target for review.
  • Affected enterprises and procurement leaders: Organizations running the named Security Gateway and Spark Firewall versions will be watching the "few dozen targeted organizations globally" note closely, particularly given the reported link to a Qilin ransomware affiliate and the actor practice of geolocating VPS infrastructure to focus attacks on organizations within particular national borders.
  • Policymakers and regulators: The association, in at least one case, between post-exploitation activity and a ransomware affiliate — and the suggestion that actors are chaining multiple VPN flaws across vendors — offers regulators a concrete incident pattern to review when assessing systemic risks tied to legacy protocol use and appliance lifecycle management.

Check Point’s advisory frames a narrowly targeted, actively exploited vulnerability chain: bypass the password through a certificate-validation logic flaw, then pursue post-authentication steps to reach internal resources. The record shows early activity in May, broader signals starting in June, and a pattern of actor tradecraft that includes geolocated VPS hosting, ELF payload downloads, and possible reuse of other VPN exploits. Absent from the advisory are public reports of widespread compromise; instead the firm reports a limited, targeted campaign and a second site-to-site vulnerability with no observed exploitation. A remaining, practical question from the facts Check Point published is which specific organizations were targeted and to what operational extent those post-authentication intrusions proceeded.

Original story — The Hacker News

Authentication BypassCheck PointEmerging ThreatsRemote AccessZero-DayVPN VulnerabilityCVE-2026-50751IKEv1
Related Intelligence

Continue Reading

Modern server equipment in a well-lit network operations room with a city view.

UniFi OS Bug Lets Hackers Gain Root Without Authentication

A critical bug in UniFi OS can be exploited by hackers to gain root access without any login credentials, user interaction, or prior access, putting your system at risk. Three vulnerabilities, now patched, can be chained together to allow remote code execution with root privileges.

Analyst 207
Person working on laptop with cityscape in background, hands poised over keyboard.

OpenAI Bolsters ChatGPT Security With New Controls

OpenAI has introduced Lockdown Mode for ChatGPT, a game-changing security control that limits the model's access to the web and external services, giving users and organizations handling sensitive data an added layer of protection. This new feature is now available to personal and self-serve business accounts, following its initial rollout for enterprise plans in February.

Analyst 207
Security analysts work at a large workstation surrounded by screens displaying data visualizations and threat maps.

Wazuh Cloud Tackles Security Ops Complexity With AI-Driven Analysis

Tired of drowning in security ops complexity? Wazuh Cloud simplifies threat detection and response with AI-driven analysis, freeing you from infrastructure headaches and empowering you to stay ahead of evolving threats like ransomware and supply chain attacks.

Analyst 207
Researcher standing in front of computer screen with abstract notes in a modern lab setting.

OWASP Researcher Warns of Unsolved Prompt Injection Risk in AI Development

Ariel Fogel, an AI security researcher, warns that organizations are rapidly deploying AI agents without proper governance, leaving a critical vulnerability - prompt injection - unsolved. This architectural flaw in large language models allows inputs to be processed as a single token sequence, with no reliable way to enforce privilege boundaries.

Analyst 207