Full Report
Check Point security advisory (AV26-559)
Analysis Summary
# Vulnerability: Active Exploitation of Check Point VPN Authentication Bypass
## CVE Details
- **CVE ID:** CVE-2026-50751
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-287 (Improper Authentication) / CWE-288 (Authentication Bypass)
## Affected Systems
- **Products:** Mobile Access / SSL VPN, Remote Access VPN, Security Gateways, and Spark Firewall.
- **Versions:** Multiple versions are affected. This includes all versions running the deprecated IKEv1 protocol.
- **Configurations:** Systems configured with Remote Access VPN or Mobile Access blades enabled, specifically those utilizing legacy authentication methods or local accounts without Multi-Factor Authentication (MFA).
## Vulnerability Description
The vulnerability is a critical authentication bypass residing in the IKEv1 (Internet Key Exchange version 1) protocol implementation used for VPN services. An attacker can exploit this flaw to bypass authentication mechanisms and gain unauthorized access to the network through the VPN gateway. The root cause is linked to how the gateway handles authentication packets in deprecated components of the software.
## Exploitation
- **Status:** **Exploited in the wild.** Check Point has confirmed active exploitation by threat actors targeting enterprise environments.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Full access to internal network resources)
- **Integrity:** High (Ability to modify data or configurations)
- **Availability:** High (Potential for lateral movement leading to ransomware or system disruption)
## Remediation
### Patches
Check Point has released emergency hotfixes for various versions. Administrators should apply the following or newer:
- R81.20: Take 631
- R81.10: Take 335
- R80.40: Take 294
- Spark Proxies: Refer to specific internal build updates via Check Point support.
### Workarounds
- **Disable IKEv1:** Force the use of IKEv2 where possible.
- **Enforce MFA:** Ensure all VPN accounts (especially local accounts) require Multi-Factor Authentication.
- **Disable Local Accounts:** Shift to centralized identity management (Active Directory/LDAP) with robust logging.
## Detection
- **Indicators of Compromise:** Look for unauthorized login attempts or successful logins from atypical geographic locations using local management accounts.
- **Detection Methods and Tools:**
- Review `vpnd.elg` logs for unusual authentication patterns.
- Check for the creation of new, unauthorized local user accounts on the Security Gateway.
- Use Check Point’s "Security Checkup" tool to identify if the gateway is exposed via the deprecated protocol.
## References
- [Security Advisory – Action Required – Active Exploitation of Check Point VPN Authentication Bypass (CVE-2026-50751)](https[:]//blog[.]checkpoint[.]com/security/check-point-releases-important-hotfix-for-vulnerabilities-in-deprecated-ikev1-vpn-protocol/)
- [Check Point Security Blog](https[:]//blog[.]checkpoint[.]com/security/)
- [Canadian Centre for Cyber Security Advisory](https[:]//www[.]cyber[.]gc[.]ca/en/alerts-advisories/check-point-security-advisory-av26-559)