Full Report
Check Point Research has identified active exploitation of CVE-2026-50751, a critical authentication bypass vulnerability affecting Check Point Remote Access VPN and Mobile Access deployments configured to use the deprecated IKEv1 key exchange protocol. By exploiting a logic flaw in certificate validation, an attacker can establish a VPN session without possession of a valid password, effectively bypassing authentication requirements. Additional post-authentication activity is required to access internal resources or escalate privileges. To date, the observed exploitation has been limited to a few dozen targeted organizations globally. One case involved confirmed post-compromise activity associated with Qilin ransomware affiliate. Customers using IKEv1 key exchange protocol are strongly encouraged to apply the available security updates immediately.
Analysis Summary
# Vulnerability: Check Point VPN Authentication Bypass (CVE-2026-50751)
## CVE Details
- **CVE ID:** CVE-2026-50751
- **CVSS Score:** 9.3 (Critical)
- **CWE:** Weakness in certificate validation logic (Logic flaw)
## Affected Systems
- **Products:** Check Point Mobile Access / SSL VPN, Remote Access VPN, and Spark Firewall.
- **Versions:**
- R80.20.X (EOS), R80.40 (EOS), R81 (EOS), R81.10 (EOS)
- R81.10.X, R81.20, R82, R82.00.X, R82.10
- **Configurations:** Systems configured to use the deprecated **IKEv1** key exchange protocol.
## Vulnerability Description
CVE-2026-50751 is a critical logic flaw in the certificate validation process of the Remote Access and Mobile Access components. Specifically, it affects the deprecated IKEv1 key exchange protocol. When exploited, the flaw allows an unauthenticated attacker to establish a VPN session without providing a valid user password. This bypass allows the attacker to gain initial access to the network, though further post-authentication steps are required to move laterally or escalate privileges.
## Exploitation
- **Status:** **Exploited in the wild.** Limited targeting of approximately a few dozen organizations has been observed.
- **Complexity:** Low (Authentication bypass via protocol flaw).
- **Attack Vector:** Network.
- **Threat Actor Note:** Activity has been linked to a **Qilin ransomware** affiliate. Attacks have been observed from VPS infrastructure (Kaupo Cloud HK, Shock Hosting, Vultr Holdings).
## Impact
- **Confidentiality:** High (Unauthorized access to internal networks).
- **Integrity:** High (Potential for post-compromise resource modification).
- **Availability:** High (Potential for ransomware deployment).
## Remediation
### Patches
Check Point has released hotfixes for all affected versions. Security Gateways should be updated to the following or later:
- **R81.20:** Refer to [sk185033]
- **R81.10:** Refer to [sk185033]
- **R82.x:** Refer to [sk185033]
- *Users of End-of-Support (EOS) versions (R80.x, R81) are strongly urged to upgrade to a supported release.*
### Workarounds
- **Decommission IKEv1:** Moving to IKEv2 is the primary recommendation to mitigate risks associated with deprecated protocols.
- **Restricted Access:** Limit access to VPN gateways to known/trusted IP addresses where possible.
## Detection
- **Indicators of Compromise (IoC):**
- Look for successful VPN logins without associated password authentication logs.
- Monitor for VPS-based traffic from Kaupo Cloud HK, Shock Hosting, and Vultr.
- Check for communication via the **Tox protocol** post-connection.
- **Timeline Audit:** Review forensic logs and configuration changes starting from **May 7, 2026**.
- **Detection Tools:** Check Point customers can use the **sk185033** documentation to find specific log queries and identification scripts.
## References
- **Vendor Advisory:** hxxps[://]support[.]checkpoint[.]com/results/sk/sk185033
- **Secondary Discovery (CVE-2026-50752):** hxxps[://]support[.]checkpoint[.]com/results/sk/sk185035
- **Official Blog:** hxxps[://]blog[.]checkpoint[.]com/security/check-point-releases-important-hotfix-for-vulnerabilities-in-deprecated-ikev1-vpn-protocol/