A critical flaw in Check Point’s Remote Access VPN and Mobile Access, when configured to use the deprecated IKEv1 key exchange protocol, is being actively exploited.
The issue, tracked as CVE-2026-50751 (CVSS 9.3), stems from a logic flow weakness in certificate validation. In practice, it lets an unauthenticated remote attacker establish a remote access VPN session without a valid user password. As Check Point noted, additional post-authentication steps are still needed to reach internal resources or escalate privileges.
Who is affected
According to Check Point’s advisory, the vulnerability impacts these products and versions:
- Security Gateways: R82.10 Jumbo Hotfix Take 19 or below, R82 Jumbo Hotfix Take 103 or below, R81.20 Jumbo Hotfix Take 141 or below, R81.10 (EOS), R81 (EOS), and R80.40 (EOS)
- Spark Firewalls: R80.20.X (EOS), R81.10.X, and R82.00.X
When exposure occurs
Successful exploitation requires all of the following:
- VPN Remote Access or Mobile Access is enabled
- IKEv1 is enabled for remote access
- Gateways accept legacy Remote Access clients
- Gateways do not demand a machine certificate for connections
What Check Point is seeing
Check Point first observed suspicious activity on June 4, 2026, with the earliest exploitation traced to May 7, 2026. Activity has increased this month. So far, exploitation has been limited to a few dozen targeted organizations globally. In at least one case, post-exploitation activity was linked to a Qilin ransomware affiliate.
The company believes the threat actor infrastructure is also exploiting other VPN-related vulnerabilities, including those published by Palo Alto Networks, Fortinet, and F5. Indicators suggest the actor may use the Tox protocol for communication—behavior commonly associated with financially motivated ransomware groups.
How the attacks are carried out
The campaigns rely on virtual private servers (VPS) geolocated to a target’s country to strike organizations within those borders. After establishing access, the attackers attempt to download malicious ELF files from infrastructure they control.
Some aspects of this activity overlap with reporting from Ctrl-Alt-Intel that detailed ransomware operators abusing corporate VPN appliances for initial access.
A second related flaw
Further review identified CVE-2026-50752 (CVSS 7.40), a separate issue that could enable an adversary-in-the-middle (AitM) attack against VPN site-to-site connections. There is currently no evidence of real-world exploitation of this flaw.
Context to keep in mind
This campaign targets environments where IKEv1 remains enabled and specific legacy client and certificate settings are in place. If that describes your setup, review your VPN configuration against the conditions above and follow your vendor’s guidance.
References: IKEv1 overview, Check Point advisory, impacted versions.
Reference: View article