Critical Check Point VPN Flaw Exploited to Bypass Passwords in IKEv1 Setups
The Hacker NewsArchived Jun 08, 2026✓ Full text saved
Check Point has warned of active exploitation of a critical vulnerability impacting Remote Access VPN and Mobile Access deployments that are configured to use the deprecated IKEv1 key exchange protocol. The vulnerability, tracked as CVE-2026-50751 (CVSS score: 9.3), is a case of a logic flow weakness in certificate validation that allows an unauthenticated remote attacker to bypass user
Full text archived locally
✦ AI Summary· Claude Sonnet
Critical Check Point VPN Flaw Exploited to Bypass Passwords in IKEv1 Setups
Ravie LakshmananJun 08, 2026Vulnerability / Network Security
Check Point has warned of active exploitation of a critical vulnerability impacting Remote Access VPN and Mobile Access deployments that are configured to use the deprecated IKEv1 key exchange protocol.
The vulnerability, tracked as CVE-2026-50751 (CVSS score: 9.3), is a case of a logic flow weakness in certificate validation that allows an unauthenticated remote attacker to bypass user authentication and establish a remote access VPN connection without a valid user password.
"By exploiting a logic flaw in certificate validation, an attacker can establish a VPN session without possession of a valid password, effectively bypassing authentication requirements," Check Point said. "Additional post-authentication activity is required to access internal resources or escalate privileges."
The shortcoming impacts the following products and versions -
Security Gateways R82.10 Jumbo Hotfix Take 19 or below, R82 Jumbo Hotfix Take 103 or below, R81.20 Jumbo Hotfix Take 141 or below, R81.10 (EOS), R81 (EOS), and R80.40 (EOS)
Spark Firewalls: R80.20.X (EOS), R81.10.X, and R82.00.X
Successful exploitation requires the following conditions to be met -
VPN Remote Access or Mobile Access is enabled
IKEv1 is enabled for remote access
Gateways accept legacy Remote Access clients
Gateways do not demand a machine certificate for connections
The Israeli cybersecurity company said it first observed indications of suspicious activity on June 4, 2026, with the earliest observed exploitation dating back to May 7, 2026. Exploitation efforts are said to have ramped up starting this month.
The exploitation activity, Check Point added, has been limited to a "few dozen targeted organizations globally." In one case, the post-exploitation phase has been associated with a Qilin ransomware affiliate.
"We believe that this threat actor infrastructure is exploiting other VPN related vulnerabilities such as the ones published by Palo Alto [Networks], Fortinet, and F5," it noted. "We identified indicators suggesting the actor may use the Tox protocol for communication, a pattern commonly associated with financially motivated ransomware actors."
A key aspect is the use of a virtual private server (VPS) infrastructure to conduct the attacks. Specifically, this involves relying on VPS servers geolocated to a particular country to target organizations within its borders. Once access was established, the attackers were found attempting to download malicious ELF files from actor-controlled infrastructure.
Some aspects of these efforts overlap with a report from Ctrl-Alt-Intel last month, which highlighted the ransomware crew's abuse of corporate VPN appliances for initial access.
Further review of the affected VPN components has uncovered a second vulnerability, CVE-2026-50752 (CVSS score: 7.40), which may allow an adversary-in-the-middle (AitM) attack on VPN site-to-site connections. There is no evidence the flaw has been exploited in real-world attacks.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
SHARE
Tweet
Share
Share
SHARE
Authentication bypass, Check Point, cybersecurity, network security, Qilin, ransomware, VPN, Vulnerability
⚡ Top Stories This Week
Dashlane Discloses Brute-Force Attack, Encrypted Vaults of Fewer Than 20 Users Downloaded
OpenAI Codex Authentication Tokens Stolen in codexui-android npm Supply Chain Attack
Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit
Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across Server Versions
AI Chatbot Recommendations Redirect Users to Cryptojacking Malware Sites
ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface
ThreatsDay Bulletin: Claude Security Plugin, Azure Priv-Esc, Kali365 MFA Bypass, FIFA Scams +15 More
Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm
⚡ Weekly Recap: New Linux Flaw, PAN-OS Exploit, AI-Powered Attacks, OAuth Phishing and More
Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer
PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation
Microsoft Slams Public Zero-Day Disclosures Amid GitHub Researcher Account Removal
GlassWorm Malware Takedown Disrupts Developer Supply Chain Attack Infrastructure
Oracle WebLogic CVE-2024-21182 Added to KEV Catalog After Active Exploitation
Malicious npm Package Stole Files From Claude AI User Directory via GitHub
Google June 2026 Android Update Patches 124 Flaws, One Actively Exploited
Load More ▼
⭐ Featured Resources
[Guide] The Real Security Risks of Shadow AI (And Where You’re Exposed)
Watch AI Turn Vulnerabilities Into Working Exploits in Minutes (See the Demo)
Learn How to Stop Attacks Before They Reach Your EDR – With PHASR
Your Employees Are Using AI in Ways You Can’t See – 2026 State of AI Report