Check Point is warning that a critical authentication bypass vulnerability in its VPN products is being actively exploited in the wild, with at least one confirmed case tied to the prolific Qilin ransomware operation.
The Vulnerability
Tracked as CVE-2026-50751, the flaw allows unauthenticated, remote attackers to bypass authentication on Check Point Remote Access VPN, Mobile Access, and Spark firewall deployments. The catch: it only affects systems still running the deprecated IKEv1 key exchange protocol with legacy remote access clients that don’t require machine certificates.
The attacks started on May 7 and surged in early June. Check Point says they’ve seen exploitation against "a few dozen" organizations globally — a relatively targeted campaign, but one with serious consequences when it hits.
Qilin’s Track Record
The Qilin ransomware gang isn’t some fly-by-night crew. Operating as a Ransomware-as-a-Service under the "Agenda" name since August 2022, Qilin has claimed nearly 400 victims on its dark web leak site. Its victim list reads like a yearbook of high-profile breaches: Chinese automotive giant Yangfeng, Nissan, Japanese brewer Asahi, US publishing company Lee Enterprises, London hospital pathology provider Synnovis, and Australia’s Court Services Victoria.
Losing a VPN to this group isn’t just an inconvenience. It’s a direct highway into your network.
A Second Bug Discovered
While investigating CVE-2026-50751, Check Point found a cousin: CVE-2026-50752, a certificate validation flaw in the same deprecated IKEv1 code that could be exploited for man-in-the-middle attacks on site-to-site VPN connections. No evidence of wild exploitation yet, but it’s another reason to stop dragging your feet on updates.
What You Should Do Right Now
Check Point has released hotfixes. If you’re running IKEv1 — and you probably shouldn’t be in 2026 — apply them immediately. For organizations that can’t patch immediately, the company recommends removing legacy remote access client support, switching Remote Access VPN authentication to IKEv2 only, enforcing machine certificate authentication, and enabling IPS signatures.
Seriously: if your VPN infrastructure is still on IKEv1, this is your wake-up call. The protocol has been deprecated for years. Every day you run it with a public-facing interface is a gamble.
The Bigger Picture
VPN zero-days have become one of the most reliable initial access vectors for ransomware groups. We saw it with Fortinet, with Ivanti, with Palo Alto. Qilin joining the list of groups exploiting Check Point flaws shows this isn’t slowing down. If anything, ransomware operators are getting faster at weaponizing the moment a VPN vulnerability drops. Treat your edge network like it’s already under attack — because it is.
