Check Point Security Gateway CVE-2026-50751: KEV VPN Authentication Bypass

Suspected
Discovered Jun 8, 2026

Check Point and CISA confirmed active exploitation of CVE-2026-50751, an IKEv1 Remote Access and Mobile Access authentication bypass. Check Point observed targeting from May 7, 2026, added campaign IOCs through June 10, and linked one post-compromise case to a Qilin ransomware affiliate.

0
Affected Packages
14
Observables
4
Sources

Defender Action Panel

Triage this incident quickly

Check whether your environment installed affected software, copy the top IOCs, run the tested hunting script when available, then review remediation guidance.

Am I affected?
Review affected software below
Immediate action
Audit locks, CI runners, developer workstations, and credential exposure.
Hunting
Has hunting script
45[.]77[.]149[.]152
209[.]182[.]225[.]136
38[.]60[.]157[.]139
162[.]33[.]177[.]101
45[.]76[.]26[.]42

Analysis

Executive Summary

CVE-2026-50751 is a Check Point Remote Access VPN and Mobile Access authentication bypass in deprecated IKEv1 certificate validation. An unauthenticated remote attacker can establish a VPN session without a valid user password when the affected configuration conditions are present [Sources 1 and 2].

Check Point observed exploitation beginning May 7, 2026, affecting a few dozen targeted organizations globally as of June 8. One confirmed post-compromise case was associated with a Qilin ransomware affiliate, and Check Point assesses the broader actor as financially motivated with medium confidence [blog.checkpoint.com opens in a new tab]. This is narrower than saying all exploitation is attributable to Qilin.

CISA added the CVE to the Known Exploited Vulnerabilities catalog on June 8, 2026, with a federal remediation due date of June 11, 2026 [Sources 3 and 4]. Apply the exact hotfix listed in sk185033. If immediate patching is impossible, use the vendor's Remote Access configuration mitigations and verify that legacy IKEv1 clients can no longer authenticate [support.checkpoint.com opens in a new tab].

Key Facts

Cve: CVE-2026-50751

Vendor: Check Point

Cvss V3 1: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N)

Cwe: CWE-287

Disclosed Date: 2026-06-08

Earliest Observed Exploitation: 2026-05-07

Kev Added: 2026-06-08

Kev Due Date: 2026-06-11

Affected Configuration:

  • Remote Access VPN or Mobile Access is enabled
  • IKEv1 is enabled for remote access
  • The gateway accepts affected legacy Remote Access client behavior

Affected Security Gateways:

  • R82.10 Jumbo Hotfix Take 19 or below
  • R82 Jumbo Hotfix Take 103 or below
  • R81.20 Jumbo Hotfix Take 141 or below
  • R81.10, R81, and R80.40 (end of support)

Affected Spark Firewalls:

  • R82.00.X
  • R81.10.X
  • R80.20.X (end of support)

Required Action: Install the sk185033 hotfix or apply the documented configuration mitigation; discontinue unsupported products when mitigation is unavailable.

Evidence Assessment

  • confirmed: Check Point observed active exploitation against a few dozen organizations and sets the earliest forensic review date to May 7, 2026 [blog.checkpoint.com opens in a new tab].
  • confirmed: The flaw permits a VPN session without a valid user password, but additional post-authentication activity is required to reach internal resources or escalate privileges [blog.checkpoint.com opens in a new tab].
  • confirmed: Check Point associated one post-compromise case with a Qilin ransomware affiliate and assesses the financially motivated actor profile with medium confidence [blog.checkpoint.com opens in a new tab].
  • confirmed: CISA added the CVE to KEV with a June 11 remediation deadline [Sources 3 and 4].
  • unclear: Public sources do not identify every victim, successful session, downstream payload, or malicious file related to this campaign.

Impact Determination

Analysis table
ClassificationCriteriaRequired evidenceHandling decision
Confirmed compromiseA successful or anomalous Remote Access/Mobile Access session overlaps an actor IP, unauthorized certificate identity, impossible travel, new internal access, or post-VPN execution.Check Point VPN logs, identity records, DHCP/tunnel assignments, firewall flows, EDR, authentication logs, and the vendor IOC search.Terminate sessions, isolate affected paths, preserve logs, reset affected identities, and investigate all activity after tunnel establishment.
Presumed exposedAn affected gateway accepted IKEv1 Remote Access during the May 7 onward review window and complete VPN logs are unavailable.Gateway version/take, enabled blades, IKE policy, legacy-client setting, and log-retention gap.Patch or mitigate immediately and conservatively review credentials and internal access reachable through VPN.
Potentially exposedCheck Point gateways exist but version, hotfix take, or IKEv1 configuration is unknown.CMDB, show version all, installed hotfix output, SmartConsole policy, and Spark firmware inventory.Resolve inventory and configuration before closing exposure.
Not exposedThe gateway is not in an affected branch, has the vendor hotfix, or did not permit the affected IKEv1 Remote Access configuration throughout the review window.Version/hotfix evidence plus exported configuration and policy-install records.Preserve the evidence and continue monitoring for the published infrastructure.
UnknownRequired gateway, VPN, identity, network, or endpoint telemetry is unavailable.Named telemetry gap, owner, retention period, and recovery status.Keep the asset in scope and apply the hotfix or mitigation regardless of detection results.

Timeline

Technical Analysis

The flaw is a logic-flow weakness in certificate validation during deprecated IKEv1 key exchange. Under affected Remote Access VPN or Mobile Access configurations, the gateway can accept an unauthenticated peer and establish a VPN session without a valid password [Sources 1, 2, and 4].

The bypass provides network access, not automatic control of internal systems. Hunt for what happened after each suspicious tunnel was established: assigned tunnel IP, destination hosts, identity use, administrative protocols, endpoint execution, credential access, and ransomware staging [blog.checkpoint.com opens in a new tab].

Indicators of Compromise

The following indicators of compromise (IOCs) can be used to scope exposure across local repositories, systems, and telemetry exports:

Hashes

  • 52fda5c1b9704544f32ee98d9060e689
  • 51d39aa39478beeac94f2d12f682ecce

Ips

  • 45[.]77[.]149[.]152
  • 209[.]182[.]225[.]136
  • 38[.]60[.]157[.]139
  • 162[.]33[.]177[.]101
  • 45[.]76[.]26[.]42
  • 144[.]208[.]127[.]155
  • 38[.]54[.]88[.]201
  • 38[.]54[.]107[.]167
  • 66[.]42[.]99[.]200
  • 45[.]63[.]104[.]106
  • 45[.]61[.]136[.]173
  • 146[.]71[.]81[.]184

Remediation and Closure

  1. Install the exact security update listed for the appliance and branch in sk185033.
  2. If patching is delayed, apply the vendor's documented Remote Access mitigation, such as disabling affected legacy-client support or enforcing IKEv2-only behavior where operationally supported.
  3. Terminate active sessions and reinstall policy after configuration changes.
  4. Review logs from May 7, 2026 onward for the published IPs and unauthorized VPN identities.
  5. For successful suspicious sessions, investigate internal access and rotate credentials used from or reachable through the session.
  6. Migrate end-of-support R80.20.X, R80.40, R81, and R81.10 deployments to supported releases.

Closure requires hotfix/configuration evidence, a successful negative validation that affected IKEv1 behavior is blocked, disposition of every IOC or anomalous-session hit, and review of downstream activity for any unauthorized tunnel.

Sources

  1. Check Point Research: Active Exploitation of Check Point VPN Authentication Bypass opens in a new tab - Role: PRIMARY_RESEARCH - Impact: Exploitation scope, earliest date, actor assessment, campaign IOCs, technical impact, and updates through June 10.
  2. Check Point Support: sk185033 opens in a new tab - Role: DIRECT_SOURCE - Impact: Affected configurations, product branches, hotfix packages, and alternative mitigations.
  3. CISA: CVE-2026-50751 KEV entry opens in a new tab - Role: GOVERNMENT_SOURCE - Impact: Active-exploitation status, required action, and June 11 deadline.
  4. NIST NVD: CVE-2026-50751 opens in a new tab - Role: ENRICHMENT_DATA - Impact: Vendor description, CVSS vector, CWE, affected CPEs, and KEV metadata.

Timeline

4 of 4 rows

Timeline
DateEventDescriptionSource
Jun 8, 2026First seenFirst seen recorded for Check Point Security Gateway CVE-2026-50751: KEV VPN Authentication Bypass.nvd.nist.gov
Jun 8, 2026DiscoveryDiscovery recorded for Check Point Security Gateway CVE-2026-50751: KEV VPN Authentication Bypass.nvd.nist.gov
Jun 8, 2026DisclosureDisclosure recorded for Check Point Security Gateway CVE-2026-50751: KEV VPN Authentication Bypass.nvd.nist.gov
Jun 8, 2026Check Point Security Gateway CVE-2026-50751: KEV VPN Authentication BypassUnknownnvd.nist.gov

Affected Software

0 of 0 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
No rows match the active filters.

IOC Clipboard

14 IOCs
ip45.77.149.152
ip209.182.225.136
ip38.60.157.139
ip162.33.177.101
ip45.76.26.42
ip144.208.127.155
ip38.54.88.201
ip38.54.107.167
ip66.42.99.200
ip45.63.104.106
ip45.61.136.173
ip146.71.81.184
hash51d39aa39478beeac94f2d12f682ecce
hash52fda5c1b9704544f32ee98d9060e689

Tested Hunting Scripts

1 of 1 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
local repository and exported telemetry scopePythonDoes the telemetry scope contain patterns associated with Check Point Security Gateway CVE-2026-50751: KEV VPN Authentication Bypass?scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabnvd.nist.gov

Hunt Manifest: local repository and exported telemetry scope

Title
local repository and exported telemetry scope
Question
Does the telemetry scope contain patterns associated with Check Point Security Gateway CVE-2026-50751: KEV VPN Authentication Bypass?
Telemetry Family
Python
Repository
scripts/local_repository_and_exported_telemetry_scope.py
Show tested hunting scriptscripts/local_repository_and_exported_telemetry_scope.py
scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabPython
#!/usr/bin/env python3
import os
import sys
from pathlib import Path

ROOT = sys.argv[1] if len(sys.argv) > 1 else "."
LOG_ROOT = os.environ.get("LOG_ROOT", "")
OUT = Path(os.environ.get("OUT", "hp-checkpoint-cve-2026-50751-kev-scope"))

IPS = ["45.77.149.152","209.182.225.136","38.60.157.139","162.33.177.101","45.76.26.42","144.208.127.155","38.54.88.201","38.54.107.167","66.42.99.200","45.63.104.106","45.61.136.173","146.71.81.184"]
HASHES = ["52fda5c1b9704544f32ee98d9060e689","51d39aa39478beeac94f2d12f682ecce"]

# Collect unique indicators
indicators = set()
for group in [IPS, HASHES]:
    for val in group:
        if val:
            indicators.add(val)

with open(indicators_file, "w") as f:
    for ind in sorted(indicators):
        f.write(ind + "\n")

print(f"[+] Written unique selectors to {indicators_file}")

# Walk local directory
print(f"[+] Scanning directory: {ROOT} for selectors...")
matches = []
exclude_dirs = {"node_modules", "vendor", "dist", ".git"}
for root, dirs, filenames in os.walk(ROOT):
    dirs[:] = [d for d in dirs if d not in exclude_dirs]
    for filename in filenames:
        filepath = Path(root) / filename
        try:
            content = filepath.read_text(errors="ignore")
            for ind in indicators:
                if ind in content:
                    matches.append(f"{filepath}: found '{ind}'")
        except Exception:
            pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here

if matches:
    (OUT / "repository-indicator-matches.txt").write_text("\n".join(matches) + "\n")
    print(f"[!] Found {len(matches)} matches in codebase!")

# Optional Log Scanning
if LOG_ROOT and os.path.exists(LOG_ROOT):
    print(f"[+] Scanning telemetry log directory: {LOG_ROOT}...")
    log_matches = []
    for root, _, filenames in os.walk(LOG_ROOT):
        for filename in filenames:
            filepath = Path(root) / filename
            try:
                content = filepath.read_text(errors="ignore")
                for ind in indicators:
                    if ind in content:
                        log_matches.append(f"{filepath}: found '{ind}'")
            except Exception:
                pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here
    if log_matches:
        (OUT / "exported-telemetry-indicator-matches.txt").write_text("\n".join(log_matches) + "\n")
        print(f"[!] Found {len(log_matches)} matches in logs!")

    if PACKAGES:
        registry_dir = OUT / "registry"
        registry_dir.mkdir(exist_ok=True)

print(f"[+] Wrote scope artifacts under {OUT}")

Provenance & Sources

4 of 4 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
nvd.nist.govSecurity Researcher95%1Check Point and CISA confirmed active exploitation of CVE-2026-50751, an IKEv1 Remote Access and Mobile Access authentication bypass. Check Point observed targeting from May 7, 2026, added campaign IOCs through June 10, and linked one post-compromise case to a Qilin ransomware affiliate.
cisa.govSecurity Researcher95%1Check Point and CISA confirmed active exploitation of CVE-2026-50751, an IKEv1 Remote Access and Mobile Access authentication bypass. Check Point observed targeting from May 7, 2026, added campaign IOCs through June 10, and linked one post-compromise case to a Qilin ransomware affiliate.
support.checkpoint.comSecurity Researcher95%1Check Point and CISA confirmed active exploitation of CVE-2026-50751, an IKEv1 Remote Access and Mobile Access authentication bypass. Check Point observed targeting from May 7, 2026, added campaign IOCs through June 10, and linked one post-compromise case to a Qilin ransomware affiliate.
blog.checkpoint.comSecurity Researcher95%1Check Point and CISA confirmed active exploitation of CVE-2026-50751, an IKEv1 Remote Access and Mobile Access authentication bypass. Check Point observed targeting from May 7, 2026, added campaign IOCs through June 10, and linked one post-compromise case to a Qilin ransomware affiliate.
Check Point Security Gateway CVE-2026-50751: KEV VPN Authentication Bypass — Halting Problems