Check Point IKEv1 Remote Access VPN Authentication Bypass
CVE-2026-50751 is a critical improper authentication vulnerability in Check Point Remote Access VPN, Mobile Access, and Spark Firewall deployments that use the deprecated IKEv1 key exchange path. The flaw is described as a logic flow weakness in Remote Access and Mobile Access certificate validation during the IKEv1 handshake. Public technical reporting indicates an attacker can manipulate authentication state during IKEv1 negotiation and cause the gateway to accept the session as authenticated without successfully validating a legitimate user password; reporting also states exploitation can succeed without a valid certificate or corresponding private key in affected certificate-based or mixed authentication modes. The issue affects legacy remote-access configurations rather than all Check Point VPN deployments.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (7 hidden).
Repository contains a single substantive Python exploit/detection artifact generator plus a README. The Python script is a standalone operational exploit for CVE-2026-50751 affecting Check Point Remote Access VPN / Mobile Access when legacy IKEv1 Remote Access is enabled. Its core capability is to authenticate as a known provisioned Remote Access username without possessing a valid client certificate, private key, or password. The exploit implements substantial protocol logic itself rather than relying on an external framework: socket transport, IKEv1/ISAKMP message construction, Diffie-Hellman group 2 exchange, RFC 2409 key derivation, HMAC-SHA1 PRF, AES-CBC encryption/decryption, and X.509 certificate generation using Python cryptography. Based on the comments and CLI, it forges a self-signed certificate whose subject DN matches the target user and abuses the vulnerable gateway behavior where attacker-controlled VPNExtFeatures flags cause peer-auth/signature verification to be skipped. Success is determined by whether phase 1 is granted and the gateway treats the session as authenticated for that user. Repository structure is minimal: README.md documents the vulnerability, prerequisites, usage, and expected output; watchTowr-vs-Check-Point-CVE-2026-50751.py is the main and only code file. The script accepts a remote host, remote port, username to impersonate, optional organization and OU values for the forged DN, timeout/retry settings, and a TCPT mode for Visitor Mode over raw TCP 443. It can target standard IKE over UDP 500 or 4500, or Check Point Visitor Mode over TCP 443. This is not merely a detector in the narrow sense: although branded as a detection artifact generator, it actively performs the authentication bypass against the target and confirms exploitation when the gateway authenticates the supplied username. No post-auth remote code execution payload is included; the exploit’s result is unauthorized VPN authentication / identity impersonation at the IKEv1 phase-1 level.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
230 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An authentication bypass logic flaw in Check Point IKEv1 certificate validation affecting Remote Access VPN, Mobile Access, and Spark firewalls, allowing unauthenticated remote attackers to establish VPN sessions without valid credentials under certain legacy configurations.
An authentication bypass vulnerability affecting Check Point Remote Access VPN IKEv1.
A vulnerability identified as CVE-2026-50751 affecting Check Point IKEv1 Remote-Access VPN, apparently related to certificate authentication based on the truncated title provided.
An authentication bypass vulnerability in Check Point Remote Access VPN and Mobile Access that allows remote unauthenticated attackers to log in as a provisioned Remote Access user by manipulating authentication flags during IKEv1 negotiation.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.