Skip to main content
Mallory
Back to vulnerabilities
Unrated

Authentication Bypass in Check Point Remote Access VPN and Mobile Access IKEv1 Certificate Validation

IdentifiersCVE-2026-50751CWE-287· Improper Authentication

CVE-2026-50751 is a critical authentication bypass vulnerability in Check Point Remote Access VPN and Mobile Access deployments, including affected Spark Firewall and Security Gateway versions, when configured to use the deprecated IKEv1 key exchange protocol. The flaw is described as a logic flow weakness in Remote Access and Mobile Access certificate validation. Under vulnerable configurations, an unauthenticated remote attacker can abuse the defective certificate-validation/authentication flow during IKEv1-based remote access negotiation to establish a remote access VPN session without supplying a valid user password. Reported affected versions include Security Gateways R82.10 Jumbo Hotfix Take 19 or below, R82 Jumbo Hotfix Take 103 or below, R81.20 Jumbo Hotfix Take 141 or below, end-of-support R81.10/R81/R80.40, and Spark Firewall branches R80.20.X, R81.10.X, and R82.00.X.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an unauthenticated remote attacker to bypass user authentication and create an unauthorized remote access VPN connection. This provides initial foothold and remote network presence through the VPN service. Check Point indicated that exploitation does not by itself guarantee unrestricted internal access or privilege escalation; additional post-authentication actions may still be required to reach internal resources, move laterally, escalate privileges, deploy payloads, or conduct follow-on activity. The vulnerability has been reported as actively exploited in the wild, including activity associated in at least one case with a Qilin ransomware affiliate.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, implement vendor-recommended compensating controls: disable support for legacy Remote Access clients by clearing 'Allow older clients to connect to this gateway' in SmartConsole and installing policy; restrict Remote Access VPN authentication to IKEv2 only; require Machine Certificate Authentication on the Security Gateway; and enable IPS protections/signatures. Additionally, hunt for indicators of compromise and suspicious VPN/IKE activity, including known attacker IPs, across the period beginning at least 2026-05-07.

Remediation

Patch, then assume compromise.

Apply Check Point security updates/hotfixes for all affected supported products immediately. Based on the provided advisory data, supported Security Gateways should be upgraded beyond R82.10 Jumbo Hotfix Take 19, R82 Jumbo Hotfix Take 103, and R81.20 Jumbo Hotfix Take 141. Spark Firewalls should install the vendor-provided fixed builds, including R82.00.10 Build 998002216 and R81.10.17 Build 996004901, as applicable. End-of-support versions such as R81.10, R81, and R80.40 should be upgraded to supported fixed releases. Review vendor guidance and audit logs for suspicious VPN/IKE activity dating back at least to 2026-05-07.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

24 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

24 SOURCESView more in app
ca ccsNews
Jun 8, 2026
Check Point security advisory (AV26-559) - Canadian Centre for Cyber Security

A critical authentication bypass vulnerability affecting Check Point VPN-related products and Spark Firewall / Security Gateway deployments, with active exploitation observed by Check Point.

Read more
the hacker newsNews
Jun 8, 2026
Critical Check Point VPN Flaw Exploited to Bypass Passwords in IKEv1 Setups

A critical authentication bypass vulnerability in Check Point Remote Access VPN and Mobile Access deployments using deprecated IKEv1, caused by a logic flaw in certificate validation.

Read more
security online infoNews
Jun 8, 2026
Check Point VPN Vulnerability Exploited in the Wild

A critical authentication bypass vulnerability in Check Point VPN remote access gateways caused by a certificate validation logic flaw, allowing unauthenticated remote administrative/VPN session establishment.

Read more
help net securityNews
Jun 8, 2026
Qilin ransomware affiliate exploited Check Point VPN zero-day (CVE-2026-50751) - Help Net Security

An authentication bypass vulnerability in Check Point Remote Access VPN, Mobile Access, and Spark firewalls when configured to use the deprecated IKEv1 protocol, allowing remote unauthenticated attackers to establish a VPN connection without a valid password.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence1

Every observed campaign linking this CVE to a named adversary.

Associated malware5

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity18

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-50751
NVD
nvd.nist.gov/vuln/detail/CVE-2026-50751
MITRE CWE · CWE-287
Improper Authentication
support.checkpoint.com
support.checkpoint.com/results/sk/sk185033