Check Point VPN CVE-2026-50751 (CVSS 9.3): Zero-Day Active Since May, Password-Free Authentication Bypass and a Qilin Ransomware Affiliate Inside Corporate Networks

On 8 June 2026, Check Point published an emergency security advisory for CVE-2026-50751 (CVSS 9.3), a critical authentication bypass vulnerability in the IKEv1 protocol — a key-exchange protocol dating from 1998 that has been officially deprecated for years but remains active in thousands of enterprise environments for legacy device compatibility. Active exploitation began on 7 May, escalated in early June, and one documented case is linked with medium confidence to an affiliate of the Qilin ransomware group — the same group that attacked Ahorramas in May. The pattern is identical to Palo Alto CVE-2026-0257 last week: corporate perimeter device, authentication bypass, active exploitation prior to the public advisory. Emergency hotfixes are available for supported versions. EOL versions will not receive a patch.

‍

What do we know about CVE-2026-50751 and the confirmed active exploitation?

Facts documented by Check Point Research, BleepingComputer, The Hacker News, Help Net Security and Dark Reading:

• Vulnerability: logic flaw in certificate validation for the IKEv1 (Internet Key Exchange v1) protocol in Check Point Remote Access VPN, Mobile Access and Spark Firewalls. An unauthenticated remote attacker can exploit the flaw to establish a VPN session without a valid user password, completely bypassing authentication requirements.
• CVSS 9.3 (Critical): no authentication required, remotely exploitable. Initial access is the authentication bypass; accessing internal resources or escalating privileges requires additional post-authentication steps.
• Affected products and versions: Security Gateways R82.10 Jumbo Hotfix Take 19 or below, R82 Jumbo Hotfix Take 103 or below, R81.20 Jumbo Hotfix Take 141 or below, R81.10 (EOS), R81 (EOS) and R80.40 (EOS). Spark Firewalls R80.20.X (EOS), R81.10.X and R82.00.X. Only affects deployments still using IKEv1 that accept legacy Remote Access clients without requiring a machine certificate for connections.
• Active exploitation since 7 May 2026: Check Point launched its investigation on 4 June following indications of suspicious activity, tracing exploitation back to 7 May. Exploitation attempts escalated notably in early June.
• Confirmed scale: at the time of the advisory, exploitation has affected a few dozen organisations globally. This is a targeted campaign, not a mass one — implying the targets are high-value organisations.
• Qilin ransomware: one documented case involves post-compromise activity that Check Point links with medium confidence to a Qilin group affiliate. Qilin is the same ransomware group responsible for the double-extortion attack on Ahorramas covered in May.
• Second related vulnerability: during the CVE-2026-50751 investigation, Check Point identified CVE-2026-50752 (CVSS 7.4), a flaw in IKEv1 certificate validation that may enable a man-in-the-middle attack on site-to-site VPN connections. No active exploitation confirmed, but update is advised.
• Emergency hotfixes available: Check Point released emergency hotfixes for supported versions. EOS versions (R81.10, R81, R80.40 and Spark R80.20.X) will not receive a patch.

‍

Why Check Point firewalls with IKEv1 are a target right now

CVE-2026-50751 follows a pattern documented repeatedly on the Apolo blog throughout May and June: corporate perimeter devices — firewalls, VPN appliances, remote access gateways — are the priority target for threat groups in 2026. Four factors explain why:

1. IKEv1 is a 1998 protocol nobody should still be using, but thousands of companies are. IKEv1 was officially deprecated years ago in favour of IKEv2. But in many enterprise environments it remains active for legacy device compatibility: printers, industrial control systems, corporate IoT, old VPN clients. Nobody disabled it because “it seems to work.” CVE-2026-50751 is the direct consequence of that technical debt.
2. Check Point Security Gateways is one of the most widely deployed firewalls in Spanish mid-market and enterprise. The R80, R81 and R82 series are critical network infrastructure in thousands of Spanish organisations, particularly in banking, insurance, manufacturing and public administration. An authentication bypass on the perimeter firewall is a full perimeter compromise.
3. The same pattern as Palo Alto CVE-2026-0257, published one week ago. Two market-leading firewalls with actively exploited VPN authentication bypass vulnerabilities in the same month. The 2026 DBIR we analysed last week confirmed it: edge devices are the preferred target because they combine direct internet exposure and high implicit trust.
4. Qilin as a reference threat actor in Spain. Qilin is the group behind the double-extortion attack on Ahorramas documented in May. Its presence in at least one CVE-2026-50751 exploitation case confirms it operates actively in European environments and can rapidly monetise initial access gained via VPN bypass.

‍

How the attack works: from IKEv1 bypass to unauthorised VPN access

1. Identifying vulnerable gateways. The attacker identifies Check Point firewalls internet-exposed with IKEv1 enabled (UDP ports 500 and 4500). Shodan and Censys allow identifying such deployments at global scale.
2. Exploiting the logic flaw in certificate validation. During the IKEv1 key exchange process, Check Point validates client certificates to establish user identity before granting VPN access. CVE-2026-50751 exploits a logic flaw in that validation allowing the attacker to pass authentication without presenting valid credentials.
3. Establishing the unauthorised VPN session. With a successful bypass, the gateway assigns the attacker a VPN session with the access permissions configured for that connection type. The connection appears as legitimate VPN traffic in firewall logs.
4. Internal network access and lateral movement. With the VPN session established, the attacker has network access to the internal resources the gateway was protecting. In the documented Qilin affiliate case, the next phase was lateral movement and positioning for ransomware deployment.

‍

Key lessons and mitigation checklist for Check Point administrators

Step 1 — Verify whether the environment is vulnerable (immediate):

• Check whether the Security Gateway has IKEv1 enabled for remote access connections. In SmartConsole: VPN → Remote Access → Global Properties → verify whether IKEv1 is enabled in authentication options.
• Verify whether gateways accept legacy Remote Access clients without requiring a machine certificate.
• Check the installed Jumbo Hotfix Take version. Versions below the advisory thresholds are vulnerable.

Step 2 — Apply the emergency hotfix (priority action):

• Immediately apply the emergency hotfix published by Check Point for affected versions: R82.10 Jumbo Hotfix Take 20 or higher, R82 Jumbo Hotfix Take 104 or higher, R81.20 Jumbo Hotfix Take 142 or higher.
• EOS versions (R81.10, R81, R80.40, Spark R80.20.X): will not receive a hotfix. The only permanent mitigation is migrating to a supported version.

Step 3 — Temporary mitigations if the hotfix cannot be applied today:

• Remove support for legacy Remote Access clients in the gateway configuration.
• Configure Remote Access VPN Authentication to require IKEv2 only, disabling IKEv1.
• Set Machine Certificate Authentication as mandatory for all VPN connections.
• Enable IPS and download the latest signatures for CVE-2026-50751 exploitation pattern detection.

Step 4 — Forensic review (mandatory if the gateway may have been exposed since 7 May):

• Review VPN connection logs from 7 May onwards for IKEv1-authenticated sessions from unknown IPs or at unusual times.
• Look for unusual lateral traffic from VPN pool IPs toward internal segments that does not correspond to legitimate users.
• Check for newly created user accounts, privilege escalations or configuration changes in internal systems dated from May onwards.
• Coordinate with the SOC team to cross-reference firewall logs against SIEM alerts for the period 7 May – 4 June.

‍

Cybersecurity as a strategic priority

CVE-2026-50751 on Check Point and CVE-2026-0257 on Palo Alto published one week apart, both with VPN authentication bypasses and real active exploitation. The message is the same the 2026 DBIR confirmed last week: corporate perimeter devices are the most exploited attack surface of 2026 because they combine direct internet exposure, high implicit trust and slow patching cycles. For Spanish organisations with Check Point on-premises infrastructure, today’s question is direct: do you have IKEv1 enabled and do you know what Jumbo Hotfix Take is installed? If the answer to either is no, 7 May has already passed.

‍

Apolo Cybersecurity: perimeter protection and Check Point firewall assessment for CVE-2026-50751

At Apolo Cybersecurity we help organisations with Check Point infrastructure verify exposure to CVE-2026-50751: IKEv1 configuration review on Security Gateways, emergency hotfix application on supported versions, migration plans for EOS versions that will not receive a patch, forensic VPN log review from 7 May onwards, and post-compromise lateral traffic analysis to detect Qilin ransomware affiliate activity.

If your organisation has Check Point Security Gateways with IKEv1 enabled and you have no confirmation that the emergency hotfix is applied, this Tuesday morning is the time to verify it.

‍