Check Point has issued an urgent security advisory disclosing active in-the-wild exploitation of a critical authentication bypass vulnerability, tracked as CVE-2026-50751 (CVSS 9.3), affecting its Remote Access VPN and Mobile Access products.
The flaw targets deployments still configured with the deprecated IKEv1 key exchange protocol and allows unauthenticated attackers to establish fully authenticated VPN sessions without valid credentials.
The vulnerability resides in improper certificate validation logic within IKEv1-based VPN authentication flows. By exploiting this flaw, attackers can bypass password verification entirely, gaining unauthorized remote VPN access.
Critically, initial access does not automatically grant full network control however, it provides threat actors a strong foothold to conduct post-authentication activities including lateral movement, privilege escalation, and payload deployment.
Check Point has confirmed the vulnerability exclusively affects configurations using IKEv1, a protocol deprecated for years due to known cryptographic weaknesses. Organizations maintaining IKEv1 for legacy compatibility are at highest risk.
According to Check Point Research, exploitation has been observed since at least May 7, 2026, with a significant spike in activity recorded in early June.
The campaign appears highly targeted, impacting dozens of organizations globally. In at least one confirmed incident, post-compromise activity was directly attributed to a Qilin ransomware affiliate, indicating that financially motivated threat actors are weaponizing CVE-2026-50751 as a primary initial access vector.
Researchers assess with medium confidence that operators behind the campaign are aligned with ransomware-driven intrusion sets and may be reusing infrastructure and techniques previously observed in attacks targeting VPN products from Fortinet, Palo Alto Networks, and F5.
During the investigation, Check Point identified a related secondary flaw, CVE-2026-50752 (CVSS 7.4), affecting certificate validation in site-to-site VPN connections over IKEv1.
This vulnerability could enable man-in-the-middle (MitM) attacks under specific conditions. While no active exploitation of CVE-2026-50752 has been confirmed, its discovery underscores the systemic risk posed by legacy cryptographic protocols.
Threat intelligence reveals attackers are operating from VPS infrastructure hosted by Kaupo Cloud HK, Shock Hosting, and Vultr. Geographic alignment between attack infrastructure and targeted victims suggests deliberate operational awareness and geo-targeting.
The Tox protocol has been observed for command-and-control (C2) communications a technique commonly leveraged by ransomware groups to evade network-based detection.
Post-exploitation activity includes deployment of Qilin ransomware payloads, specifically Linux ELF binaries retrieved from attacker-controlled servers.
Mitigation
Organizations running Check Point VPN deployments should take the following immediate actions:
- Apply the latest Check Point security hotfix without delay
- Disable IKEv1 across all VPN configurations where technically feasible
- Conduct forensic review of VPN authentication logs dating back to May 7, 2026
- Investigate any unauthorized or anomalous VPN session activity
- Block identified IOC IP addresses at the perimeter firewall
Indicators of Compromise (IOCs)
| Type | Indicator |
|---|---|
| IP Address | 45.77.149[.]152 |
| IP Address | 209.182.225[.]136 |
| IP Address | 38.60.157[.]139 |
| IP Address | 162.33.177[.]101 |
| IP Address | 45.76.26[.]42 |
| IP Address | 144.208.127[.]155 |
| IP Address | 38.54.88[.]201 |
| IP Address | 38.54.107[.]167 |
| IP Address | 66.42.99[.]200 |
| MD5 Hash | 52fda5c1b9704544f32ee98d9060e689 |
| MD5 Hash | 51d39aa39478beeac94f2d12f682ecce |
No Comment! Be the first one.