Overview
- Check Point disclosed on Monday that a critical authentication-bypass bug (CVE-2026-50751) in Remote Access VPN, Mobile Access and Spark firewalls has been actively exploited since early May, with suspicious activity first noticed on June 4.
- The flaw lets an unauthenticated attacker establish a VPN session when the deprecated IKEv1 key-exchange is enabled and gateways accept legacy clients or do not require machine certificates, allowing access without a valid user password.
- Observed exploitation has been limited to a few dozen targeted organizations worldwide and at least one confirmed intrusion showed post-compromise activity tied to a Qilin ransomware affiliate.
- Check Point has released hotfixes and advised immediate mitigations for groups that cannot patch, including disabling IKEv1, enforcing machine-certificate authentication, removing legacy remote clients, and enabling IPS signatures.
- While investigating CVE-2026-50751 Check Point found a related issue (CVE-2026-50752) that could enable man-in-the-middle attacks on IKEv1 site-to-site links but has no evidence of in-the-wild use, and defenders are urged to audit logs and follow vendor IOCs.