HP Halting Problems Security research, supply chain threats, and systems risk.
♥ Help support the site
btc
bc1q3909urygy90qhytu32344ws0t5vy085y0h7xc8
eth
0x71faaDcAF2538e7346885F772FBAcb88740059A8
xmr
49PeCUfdgmG1ZMAzUxz2WFWiRDbDrycrJ8qYVfxBq6HWCHjk7uncaoESm7CRF5DtxcFgStuvyvcfUD3p4xU33F8dPep53MP
critical Threat analysis

Check Point Security Gateway CVE-2026-50751: KEV VPN Authentication Bypass

CISA added Check Point Security Gateway CVE-2026-50751 to its KEV catalog on 2026-06-08. The critical improper authentication vulnerability affects Remote Access VPN and Mobile Access configurations utilizing the IKEv1 protocol, allowing unauthenticated remote attackers to bypass credential checks and gain network access.

Published
Read time
5 min read
Sources
3
#checkpoint#cisa-kev#vpn#authentication-bypass#ransomware
On this page 0% read

    Executive Summary

    CISA added CVE-2026-50751 to the Known Exploited Vulnerabilities catalog on 2026-06-08, marking it as actively exploited in the wild CISA KEV. The vulnerability is an improper authentication flaw affecting Check Point Security Gateways and Spark Firewalls when Remote Access VPN or Mobile Access is enabled with legacy IKEv1 protocol support. Attackers can exploit this logic flow vulnerability in the certificate validation process to bypass password requirements and establish remote VPN access to target networks.

    Active exploitation has been observed in the wild, with reports linking incidents to Qilin ransomware affiliates targeting corporate environments. Check Point released emergency security updates and Jumbo Hotfixes for affected versions (including R82.10, R82, R81.20, and support-ended versions like R80.40). Administrators must apply security updates immediately, migrate configuration settings to IKEv2-only, or require mandatory machine certificates to prevent unauthorized access.

    Key Facts

    cve: "CVE-2026-50751"
vendor: "Check Point"
product: "Security Gateway"
vulnerability: "Improper authentication in IKEv1 VPN certificate validation"
cwe: "CWE-287"
disclosed_date: "2026-06-08"
kev_added: "2026-06-08"
affected_versions:
  - "R82.10 (Jumbo Hotfix Take 19 or below)"
  - "R82 (Jumbo Hotfix Take 103 or below)"
  - "R81.20 (Jumbo Hotfix Take 141 or below)"
  - "R81.10, R81, R80.40 and below"
fixed_versions:
  - "R82.10 Jumbo Hotfix Take 20 or higher"
  - "R82 Jumbo Hotfix Take 104 or higher"
  - "R81.20 Jumbo Hotfix Take 142 or higher"
high_value_evidence:
  - "SmartConsole certificate authentication logs"
  - "IKEv1 remote access logs"

    Source Confidence & Evidence Mapping

    • confirmed: CISA added CVE-2026-50751 to the KEV catalog, verifying active exploitation in the wild CISA KEV.
    • confirmed: Check Point published support advisory sk185033 describing the logic flaw in IKEv1 key exchange certificate validation, listing the affected versions and recommended configuration mitigations Check Point sk185033.
    • likely: Ransomware groups (specifically Qilin affiliates) have actively targeted this vulnerability to establish initial access and deploy payloads.

    Impact Determination

    ClassificationCriteriaRequired evidenceHandling decision
    Confirmed compromiseGateways show successful remote access VPN log entries for certificates that do not correspond to authorized user/machine devices, or anomalous lateral movement/endpoint tools following a VPN login session.Check Point SmartConsole logs containing certificate mismatches, unauthorized VPN sessions, or Qilin ransomware indicators.Terminate all active VPN sessions, isolate affected target networks, revoke and regenerate certificate credentials, and run forensic log review from May 7, 2026.
    Presumed exposedSecurity Gateway or Spark firewall runs an affected version (e.g. R81.20 before Jumbo Take 142) and has Remote Access VPN enabled with IKEv1 and certificate authentication.Asset inventory or Check Point gateway version check showing unpatched Jumbo Hotfix Take.Apply the Check Point Jumbo Hotfix update immediately; configure Remote Access to utilize IKEv2 only and disable legacy client support.
    Potentially exposedCheck Point gateways exist in the environment, but version or VPN settings are not fully documented.CMDB, IP scanner, or network diagram showing exposed Check Point management or VPN portals.Audit the gateway versions and verify IKE/certificate configurations.
    Not exposedNo affected products are in use, or all gateways are updated and configured to require IKEv2-only with mandatory machine certificates.Inventory lists and gateway configuration files showing IKEv1 disabled.None required.
    UnknownGateway configurations or logs are unavailable.Lack of central logging or access to SmartConsole.Assume exposure and prioritize configuration auditing.

    Timeline

    • 2026-05-07: Earliest suspected exploitation activity is recorded in security telemetry logs.
    • 2026-06-08: CISA adds CVE-2026-50751 to the KEV catalog.
    • 2026-06-08: Check Point issues security advisory sk185033 and releases emergency jumbo hotfixes.
    • 2026-06-09: This threat post analysis is published.

    Technical Analysis

    The logic flaw exists in the legacy IKEv1 key exchange handshake validation code. During IKEv1 authentication with certificates, the gateway incorrectly validates the signature proof structure, failing to confirm the cryptographic association between the certificate and the peer identity. This allows an attacker to supply a forged signature or manipulate the peer identification payload, bypassing the password validation layer entirely.

    Because many legacy setups do not enforce double-factor machine certificate check or MFA at the IKE layer, the attacker can directly obtain a valid VPN tunnel IP address and enter the internal corporate network subnet. Check Point’s hotfixes repair this logic sequence inside the vpnd service daemon.

    Affected Assets and Blast Radius

    asset_selectors:
  - "checkpoint-security-gateway"
highest_value_assets:
  - "Check Point Security Gateways serving remote access VPNs"
credentials_and_data_at_risk:
  - "Internal corporate network access"
  - "Active Directory domain credentials (via lateral movement)"

    Indicators And Detection Selectors

    vulnerabilities: ["CVE-2026-50751"]
packages: ["checkpoint-security-gateway"]
telemetry_selectors:
  - "IKEv1"
  - "sk185033"
  - "checkpoint"

    Detection and Hunting

    Script: local repository and exported telemetry scope

    #!/usr/bin/env python3
import os
import sys
import json
import subprocess
from pathlib import Path

ROOT = sys.argv[1] if len(sys.argv) > 1 else "."
LOG_ROOT = os.environ.get("LOG_ROOT", "")
OUT = Path(os.environ.get("OUT", "hp-checkpoint-cve-2026-50751-kev-scope"))
SINCE = "2026-06-08T00:00:00Z"
UNTIL = "2026-06-08T23:59:59Z"

PACKAGES = [
]
VERSIONS = [
]
FILES = [
]
DOMAINS = [
  "www.cisa.gov",
  "support.checkpoint.com",
]
URLS = [
  "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
  "https://support.checkpoint.com/results/sk/sk185033",
]
IPS = [
]
HASHES = [
]
PROCESS_PATTERNS = [
]
NETWORK_PATTERNS = [
]

# Positive signal: repository, lockfile, artifact, process, or network telemetry contains one of the exact incident selectors above.
# Escalation: any match tied to a production build, CI run, deployed asset, or secret-bearing host moves the asset to presumed exposed.

OUT.mkdir(parents=True, exist_ok=True)
indicators_file = OUT / "indicators.txt"

# Collect unique indicators
indicators = set()
for group in [PACKAGES, VERSIONS, FILES, DOMAINS, URLS, IPS, HASHES, PROCESS_PATTERNS, NETWORK_PATTERNS]:
    for val in group:
        if val:
            indicators.add(val)

with open(indicators_file, "w") as f:
    for ind in sorted(indicators):
        f.write(ind + "\n")

print(f"[+] Written unique selectors to {indicators_file}")

# Walk local directory
print(f"[+] Scanning directory: {ROOT} for selectors...")
matches = []
exclude_dirs = {"node_modules", "vendor", "dist", ".git"}
for root, dirs, filenames in os.walk(ROOT):
    dirs[:] = [d for d in dirs if d not in exclude_dirs]
    for filename in filenames:
        filepath = Path(root) / filename
        try:
            content = filepath.read_text(errors="ignore")
            for ind in indicators:
                if ind in content:
                    matches.append(f"{filepath}: found '{ind}'")
        except Exception:
            pass

if matches:
    (OUT / "repository-indicator-matches.txt").write_text("\n".join(matches) + "\n")
    print(f"[!] Found {len(matches)} matches in codebase!")

# Optional Log Scanning
if LOG_ROOT and os.path.exists(LOG_ROOT):
    print(f"[+] Scanning telemetry log directory: {LOG_ROOT}...")
    log_matches = []
    for root, _, filenames in os.walk(LOG_ROOT):
        for filename in filenames:
            filepath = Path(root) / filename
            try:
                content = filepath.read_text(errors="ignore")
                for ind in indicators:
                    if ind in content:
                        log_matches.append(f"{filepath}: found '{ind}'")
            except Exception:
                pass
    if log_matches:
        (OUT / "exported-telemetry-indicator-matches.txt").write_text("\n".join(log_matches) + "\n")
        print(f"[!] Found {len(log_matches)} matches in logs!")

    if PACKAGES:
        registry_dir = OUT / "registry"
        registry_dir.mkdir(exist_ok=True)

print(f"[+] Wrote scope artifacts under {OUT}")

    Sources

    1. CISA: KEV Catalog - Role: PRIMARY_RESEARCH - Impact: Active exploitation confirmation.
    2. Check Point: Support Advisory sk185033 - Role: DIRECT_SOURCE - Impact: Detailed product advisory, affected versions, and mitigation guide.
    3. NIST NVD: CVE-2026-50751 - Role: ENRICHMENT_DATA - Impact: Severity and vulnerability classification.