Check Point has raised a red flag regarding the active exploitation of a critical vulnerability affecting Remote Access VPN and Mobile Access deployments that utilize the outdated IKEv1 key exchange protocol.
The vulnerability, known as CVE-2026-50751 with a CVSS score of 9.3, exposes a flaw in certificate validation logic, enabling a remote attacker without authentication to establish a VPN connection without a valid user password.
According to Check Point, “By exploiting a logic flaw in certificate validation, an attacker can establish a VPN session without possession of a valid password, effectively bypassing authentication requirements. Additional post-authentication activity is required to access internal resources or escalate privileges.”
The impacted products and versions include:
- Security Gateways R82.10 Jumbo Hotfix Take 19 or below, R82 Jumbo Hotfix Take 103 or below, R81.20 Jumbo Hotfix Take 141 or below, R81.10 (EOS), R81 (EOS), and R80.40 (EOS)
- Spark Firewalls: R80.20.X (EOS), R81.10.X, and R82.00.X
To successfully exploit the vulnerability, the following conditions must be met:
- VPN Remote Access or Mobile Access is enabled
- IKEv1 is enabled for remote access
- Gateways accept legacy Remote Access clients
- Gateways do not demand a machine certificate for connections
Check Point noted that it detected suspicious activity on June 4, 2026, with exploitation efforts increasing starting this month, although the earliest observed exploitation dates back to May 7, 2026.
The exploitation activity has been limited to a few targeted organizations globally, with one case involving a Qilin ransomware affiliate in the post-exploitation phase.
According to Check Point, “We believe that this threat actor infrastructure is exploiting other VPN related vulnerabilities such as the ones published by Palo Alto [Networks], Fortinet, and F5. We identified indicators suggesting the actor may use the Tox protocol for communication, a pattern commonly associated with financially motivated ransomware actors.”
The attackers have been utilizing a virtual private server (VPS) infrastructure to carry out the attacks, targeting organizations within specific countries using geolocated VPS servers. Once access is gained, the attackers attempt to download malicious ELF files from their controlled infrastructure.
Some elements of these attacks align with a recent report from Ctrl-Alt-Intel, which highlighted the abuse of corporate VPN appliances by ransomware groups for initial access.
Check Point Research stated, “To the best of our knowledge to date, there is no indication the vulnerability was broadly available to other threat actors. The activity is clearly opportunistic and targets vulnerable organizations rather than characterized one.”
Further investigation into the affected VPN components revealed a second vulnerability, CVE-2026-50752 with a CVSS score of 7.40, which could potentially lead to an adversary-in-the-middle (AitM) attack on VPN site-to-site connections. However, there is no evidence of real-world exploitation of this flaw.
(The article has been updated post-publication to include a response from Check Point Research.)
