Check Point VPN Authentication Bypass Under Active Exploitation (CVE-2026-50751 CVE-2026-50752)
Executive Summary
On June 8th 2026, Check Point Research identified two CVEs (CVE-2026-50751, CVE-2026-50752) which can be abused to bypass Checkpoint VPN Authentication services, allowing threat actors to access network devices and traffic behind the VPN. These vulnerabilities were found under active exploitation in the wild by attackers that Check Point research attributed with medium confidence to be Qilin ransomware affiliates.
This vulnerability affects Check Point Remote Access VPN, and Mobile Access endpoints that are configured to use IKEv1 for their key exchange. At the time of writing, the control plane is unaffected by attackers who have exploited this vulnerability, however resources behind the VPN would be accessible to attackers who successfully exploit the vulnerability.
Affected Systems and Products
A given device will be affected if the following configurations are applied:
- VPN Remote Access or Mobile Access is enabled
- IKEv1 is enabled for remote access
- Gateways accept legacy Remote Access clients
- Gateways do not demand a machine certificate for connections
It should be noted that IKEv1 is deprecated.
Mitigations and Workarounds
Active exploitation has been confirmed in the wild, and Check Point has released hotfixes for the two vulnerabilities, sk185003 and sk185035. Affected organizations should apply these patches as soon as possible.
If applying the hotfix is not an immediate option, Check Point Research has advised disabling the IKEv1 for all Check Point Security Gateways and Remote Access communities, which is possible within the Check Point SmartConsole under VPN Community, Encryption > General > Encryption Method and ensuring IKEv2 is the only accepted key exchange.
Doubly so, Check Point also advises that users remove support for legacy Remote Access client connections for Check Point VPNs by accessing the Check Point SmartConsole and opening the Security Gateway object properties, selecting VPN Clients > Authentication, and unchecking the “Allow older clients to connect to this gateway" on any affected devices.
Finally, Check Point also recommends configuring mandatory certificate authentication also in the SmartConsole, under Security Gateway properties. Once there, selecting VPN Clients > Authentication, and selecting Mandatoryunder Machine Certificate Authentication.
Patches
Check Point recommends updating all affected Security Gateways to the released subsequent hotfix. They offer hotfixes for versions R81.20, R82, and R82.10. The hotfix versions are as follows:
Indicators of Compromise (IoCs)
Check Point Research has medium confidence that the attacker is affiliated with Qilin as they use the Qilin ransomware toolkit. Qilin is financially motivated and may be exploiting other VPN vulnerabilities, including the ones published recently by Palo Alto, Fortinet, and F5. Check Point Research reported the use of TOX Protocol for communications. They also found that the actor was using a dedicated VPS to orchestrate the attacks, finding that the IPs led back to Kaupo Cloud HK, Shock Hosting, and Vultr Holdings. The following IoCs are associated with Qilin Linux Ransomware Binaries, and the servers from which the TA tried to download malicious second stage payloads from:
Technical Details
No in-depth technical details or public proof of concept exploit code samples were available at time of writing. Official documentation from Checkpoint describes the root flaw as a “logic flow weakness in the Remote Access and Mobile Access certificate validation.”
It should be noted that the vulnerability would grant threat actors network access to VPN connected resources, and that follow-up exploitation would vary greatly on what a given organization has internally connected to the VPN.
How Beazley Security is Responding
Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.
If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.
Sources
Vous êtes au courant d'un incident qui a un impact sur votre secteur d'activité ? Faites-nous savoir :