Check Point disclosed active exploitation of CVE-2026-50751, a critical authentication bypass in Check Point VPN Remote Access, Mobile Access, and Spark firewalls under specific configurations. The flaw, rated CVSS 9.3, affects systems using the deprecated IKEv1 key exchange path and allows a remote, unauthenticated attacker to establish a VPN session without a valid password. Check Point said suspicious activity was detected on June 4, with the earliest known attacks dating to early May and a rise in activity across multiple jurisdictions in early June; customers were urged to review logs back to May 7 and investigate indicators of compromise.
The company linked at least one confirmed post-compromise intrusion to a Qilin ransomware affiliate, describing a financially motivated attack that used VPS infrastructure and likely relied on Rclone for data exfiltration, with possible use of the Tox protocol for communications. Reporting also noted attempts to retrieve malicious ELF payloads from attacker-controlled infrastructure and warned that related infrastructure may also be probing VPN flaws in products from Palo Alto, Fortinet, and F5. Check Point released hotfixes for CVE-2026-50751 and for CVE-2026-50752, a separate flaw that could enable man-in-the-middle attacks on site-to-site tunnels but had not been observed as weaponized; the vendor advised organizations to apply fixes or disable IKEv1 where possible.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
12 events from the most recent confirmed update back to the earliest known activity.
WatchTowr researchers published a technical analysis of CVE-2026-50751 along with proof-of-concept and detection tooling, detailing how the flaw can be exploited via manipulated IKEv1 authentication flags and a custom Vendor ID payload. The publication followed Check Point's earlier confirmation of active exploitation and patch release.
CISA directed Federal Civilian Executive Branch agencies to secure affected Check Point Remote Access VPN and Mobile Access deployments against CVE-2026-50751 under Binding Operational Directive 22-01. The order set a remediation deadline of 2026-06-11 following the flaw's addition to the Known Exploited Vulnerabilities catalog.
CISA updated its Known Exploited Vulnerabilities catalog to include CVE-2026-50751, the Check Point Remote Access VPN and Mobile Access authentication bypass flaw, citing active exploitation. The same update also added CVE-2026-42271 in BerriAI LiteLLM and reinforced guidance to apply vendor fixes or mitigations.
Rapid7 published indicators tied to the exploitation campaign, including attacker infrastructure associated with VPS providers and IP addresses. The guidance accompanied recommendations for forensic log audits and configuration reviews dating back to May 7, 2026.
A second vulnerability, CVE-2026-50752, was reported alongside the main disclosure. It was described as enabling man-in-the-middle attacks on site-to-site tunnels, though it had not been weaponized.
Check Point disclosed that CVE-2026-50751 was being actively exploited in the wild and urged customers to review logs, check indicators of compromise, and upgrade or disable IKEv1 where applicable. Reporting also said hotfixes had been released as the primary mitigation.
Check Point reported one confirmed post-compromise case linked to a Qilin ransomware affiliate. In that intrusion, the attacker reportedly used VPS infrastructure, possibly Tox for communications, likely Rclone for exfiltration, and attempted to download malicious ELF payloads from attacker-controlled infrastructure.
Both reports state that attack activity exploiting the Check Point VPN flaw increased in early June across multiple jurisdictions. Check Point observed only a few dozen targeted organizations globally at that stage.
Check Point said the earliest known attacks exploiting CVE-2026-50751 date back to early May 2026. The vulnerability allows unauthenticated attackers to establish VPN connections without a valid user password when IKEv1 is enabled under specific configurations.
Check Point said it first noticed suspicious activity related to exploitation of CVE-2026-50751 on June 4, 2026. The company later assessed that exploitation had increased in early June.
Reporting on the active exploitation noted that defenders should review Check Point logs going back to May 7, 2026, indicating potentially relevant malicious activity from at least that date. The same reporting linked the intrusions to overlap with Qilin ransomware activity.
The reference says mnemonic.io observed exploitation of Check Point CVE-2024-24919 dating back to at least April 30, 2024. That flaw affects Security Gateway devices with certain remote access blades enabled and allows unauthenticated attackers to read arbitrary files.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
33 references tracked. Mallory keeps watching after this page renders.
thecybersecguru.com
Open sourcehelpnetsecurity.com
Open sourcereddit.com
Open sourcegithub.com
Open sourcedarkreading.com
Open sourcelabs.beazley.security
Open sourcesupport.checkpoint.com
Open sourcerunzero.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.