Attackers are actively exploiting a critical vulnerability in Check Point’s Remote Access VPN that lets them skip the password entirely. The flaw, CVE-2026-50751, hits deployments still running the long-deprecated IKEv1 key exchange protocol — and it’s already been used in targeted attacks against dozens of organizations.
How the Attack Works
The vulnerability is a logic flow weakness in certificate validation during the IKEv1 handshake. An unauthenticated attacker can exploit this to establish a VPN session without needing a valid user password. That’s right — no password, no credentials, just network access to the VPN gateway.
Check Point says the attacker still needs additional post-authentication steps to access internal resources or escalate privileges. But that’s cold comfort when the front door is already wide open.
Who’s Affected
The flaw impacts Security Gateways running R82.10, R82, R81.20, R81.10, R81, and R80.40, as well as Spark Firewalls R80.20.X, R81.10.X, and R82.00.X. Four conditions must all be true: VPN Remote Access or Mobile Access must be enabled, IKEv1 must be enabled for remote access, gateways must accept legacy Remote Access clients, and gateways must not require a machine certificate.
If you’re still running IKEv1 for remote access in 2026, this should be a wake-up call to change that regardless of this specific CVE.
What the Attackers Are Doing With It
Check Point first spotted suspicious activity on June 4, with exploitation dating back to May 7. The attacks picked up pace this month. In at least one case, a Qilin ransomware affiliate leveraged the access for post-exploitation activity.
The threat actors are using VPS infrastructure geolocated to specific countries to target organizations within those borders. Once inside, they attempt to pull down malicious ELF files from attacker-controlled servers. Check Point also identified indicators suggesting the Tox protocol for command-and-control, a pattern common among financially motivated ransomware groups.
There’s a second vulnerability too — CVE-2026-50752 (CVSS 7.4) — that enables adversary-in-the-middle attacks on VPN site-to-site connections. It hasn’t been exploited in the wild yet, but it was discovered during the same investigation.
What You Should Do Right Now
Check Point has released hotfixes. If you’re running any of the affected versions, patch immediately. Beyond that: disable IKEv1 for remote access if you haven’t already. It’s been deprecated for a reason, and this is what running deprecated protocols looks like in practice.
Enable machine-certificate authentication for VPN gateways if possible — it’s one of the prerequisites for this attack, and closing that gap raises the bar significantly. Also audit your VPN logs for unauthenticated or anomalous IKEv1 session establishment, especially from May 7 onward.
The Bigger Picture
This isn’t just a Check Point problem. The same threat actor infrastructure appears to be exploiting VPN vulnerabilities from Palo Alto Networks, Fortinet, and F5. VPN appliances are the soft underbelly of corporate security — they’re internet-facing, they handle authentication, and when they break, they break badly. The Qilin connection here is a reminder that ransomware groups see VPN flaws as on-ramps to your entire network.
If you’re still exposing IKEv1 to the internet in 2026, this is your sign to stop.
