Check Point VPN authentication-bypass zero-day exploited in the wild (CVE-2026-50751)

On 8 June 2026, Check Point Software Technologies — the Israeli network-security vendor — disclosed that attackers were actively exploiting a critical authentication-bypass zero-day, tracked as CVE-2026-50751, in its Remote Access VPN and Mobile Access products. The flaw lets an attacker establish a VPN session without a valid password, and Check Point linked at least one confirmed intrusion to a Qilin ransomware affiliate.

What happened

CVE-2026-50751 is an improper-authentication flaw (CWE-287) carrying a CVSS score of 9.3. It affects Remote Access VPN and Mobile Access deployments configured to use the deprecated IKEv1 key-exchange protocol. By abusing a logic flaw in certificate validation, an attacker can bypass the password requirement and authenticate to the VPN gateway as a legitimate remote-access user.

Check Point says the earliest observed exploitation dates back to 7 May 2026, with the company first noticing suspicious activity on 4 June 2026. Exploitation has so far been limited to a few dozen targeted organisations worldwide, but in at least one case the access was followed by post-compromise activity associated with a Qilin ransomware affiliate — turning a VPN foothold into the opening move of a ransomware intrusion.

During its investigation, Check Point identified a second, related issue — CVE-2026-50752 — also tied to certificate validation in the deprecated IKEv1 exchange, which under specific conditions could allow man-in-the-middle interference with site-to-site VPN traffic.

Impact

A critical (CVSS 9.3) authentication bypass allowing password-less VPN logins on IKEv1-configured gateways.
Active in-the-wild exploitation observed against several dozen organisations globally.
At least one intrusion tied to a Qilin ransomware affiliate, raising the prospect of follow-on encryption and extortion.
Check Point released emergency hotfixes and advised customers unable to patch immediately to drop the legacy remote-access client, restrict authentication to IKEv2 only, and make machine-certificate authentication mandatory.

Why it matters

Edge devices — VPN gateways and firewalls in particular — remain the favourite initial-access vector for ransomware crews, because a single authentication bypass hands an attacker a trusted position inside the network perimeter. The IKEv1 angle is a reminder that deprecated protocols left enabled for backward compatibility are a recurring source of risk: the secure default existed, but legacy configurations kept the vulnerable path alive long enough for attackers to find it.

Timeline

May 7, 2026

Earliest observed exploitation of CVE-2026-50751 against Check Point Remote Access VPN deployments.

June 4, 2026

Check Point first observes indications of suspicious activity linked to the flaw.

June 8, 2026

Check Point publishes a security advisory and hotfixes for CVE-2026-50751 (and the related CVE-2026-50752), confirming active in-the-wild exploitation.

Sources

helpnetsecurity.comhttps://www.helpnetsecurity.com/2026/06/08/check-point-cve-2026-50751-qilin-ransomware/

thehackernews.comhttps://thehackernews.com/2026/06/critical-check-point-vpn-flaw-exploited.html

blog.checkpoint.comhttps://blog.checkpoint.com/security/check-point-releases-important-hotfix-for-vulnerabilities-in-deprecated-ikev1-vpn-protocol/

bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/check-point-links-vpn-zero-day-attacks-to-qilin-ransomware-gang/

rapid7.comhttps://www.rapid7.com/blog/post/etr-critical-check-point-vpn-zero-day-exploited-in-the-wild-cve-2026-50751/

Related incidents

RansomwareOngoingApril 27, 2026

Exclusive Networks: cyberattack at a key player in cybersecurity solutions

On 27 April 2026, the Qilin ransomware group listed Exclusive Networks — the France-headquartered global cybersecurity and IT distributor — on its leak site, threatening to publish stolen data unless the company entered negotiations; the scope remained unconfirmed.

Victim: Exclusive Networks

Zero-dayOngoingJune 10, 2026

Microsoft Defender 'RoguePlanet' zero-day grants SYSTEM privileges (CVE-2026-47281)

Researchers disclosed a Microsoft Defender privilege-escalation zero-day dubbed RoguePlanet (CVE-2026-47281) that abuses a race condition to redirect a SYSTEM-level file operation and hand a local attacker full SYSTEM access on fully updated Windows machines.

Victim: Microsoft Defender

Zero-dayOngoingJune 10, 2026

Oracle PeopleSoft PeopleTools zero-day exploited by ShinyHunters (CVE-2026-35273)

Oracle issued an emergency out-of-band alert after the ShinyHunters crew exploited a critical unauthenticated remote-code-execution zero-day in PeopleSoft PeopleTools to steal data from more than 100 organisations, most of them universities.

Victim: Oracle PeopleSoft

Zero-dayContainedJune 9, 2026

Google patches actively exploited Chrome V8 zero-day (CVE-2026-11645)

Google shipped an emergency Chrome update fixing CVE-2026-11645, a high-severity out-of-bounds memory flaw in the V8 engine that lets a crafted web page run arbitrary code and for which an exploit already exists in the wild.

Victim: Google Chrome