Overview
- Check Point disclosed CVE-2026-50751 on June 8 after first noticing suspicious activity on June 4 and tracing exploitation back to May 7, and it says attacks have been limited to a few dozen targeted organizations.
- The bug is a logic-flow and certificate-validation weakness that lets an attacker create a remote access VPN session without a valid user password when the gateway accepts legacy IKEv1 clients and does not require a machine certificate.
- At least one investigated breach included post-compromise activity tied to a Qilin ransomware affiliate, with attackers using rented VPS hosts and tools like Rclone and possibly the Tox protocol to move and exfiltrate data.
- Check Point released security updates, indicators of compromise, and step-by-step mitigations including moving Remote Access VPN to IKEv2, removing legacy clients, making machine certificates mandatory, and enabling IPS signatures for defenders who cannot patch immediately.
- The incident underscores the risk of keeping deprecated IKEv1 enabled on VPN appliances and fits a larger pattern of adversaries abusing vendor VPN flaws to gain initial access, so organizations should audit logs from May 7 and review VPN configs now.