Check Point VPN 0-day Vulnerability Exploited in the Wild to Deploy Ransomware
Cybersecurity NewsArchived Jun 08, 2026✓ Full text saved
Check Point Research has uncovered active exploitation of CVE-2026-50751, a critical authentication bypass vulnerability (CVSS 9.3) in Check Point Remote Access VPN and Mobile Access deployments, with confirmed post-compromise activity linked to the Qilin ransomware gang. CVE-2026-50751 targets deployments configured to use the deprecated IKEv1 key exchange protocol. By exploiting a logic flaw in certificate […] The post Check Point VPN 0-day Vulnerability Exploited in the Wild to Deploy Ransomw
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security
Check Point VPN 0-day Vulnerability Exploited in the Wild to Deploy Ransomware
By Guru Baran
June 8, 2026
Check Point Research has uncovered active exploitation of CVE-2026-50751, a critical authentication bypass vulnerability (CVSS 9.3) in Check Point Remote Access VPN and Mobile Access deployments, with confirmed post-compromise activity linked to the Qilin ransomware gang.
CVE-2026-50751 targets deployments configured to use the deprecated IKEv1 key exchange protocol. By exploiting a logic flaw in certificate validation, an unauthenticated remote attacker can establish a VPN session without a valid user password, effectively bypassing all authentication requirements.
The flaw affects Mobile Access / SSL VPN, Remote Access VPN, and Spark Firewall products across versions R80.20.X through R82.10. While initial access is gained through the bypass, additional post-authentication steps are required to access internal resources or escalate privileges.
Check Point Research launched its investigation on June 4, 2026, following indications of suspicious activity, tracing exploitation attempts back to May 7, 2026.
Exploitation attempts escalated sharply in early June 2026, targeting a few dozen organizations globally. Incident response teams should prioritize forensic log audits and configuration reviews beginning from the earliest observed exploitation date.
The threat actor is assessed with medium confidence to be financially motivated, leveraging Qilin Linux ransomware binaries and attempting to download malicious ELF files from actor-controlled infrastructure.
The actor likely uses the Tox protocol for command-and-control communication, a pattern commonly associated with ransomware operators, and is believed to be simultaneously exploiting VPN vulnerabilities disclosed by Palo Alto, Fortinet, and F5.
Attacker infrastructure was hosted across Kaupo Cloud HK, Shock Hosting, and Vultr Holdings, with VPS geolocation correlated to victim geography in several cases.
Second Vulnerability – CVE-2026-50752
During the CVE-2026-50751 investigation, Check Point’s agentic AI code security platform BLAST identified a related flaw: CVE-2026-50752 (CVSS 7.4).
This vulnerability impacts certificate validation in the deprecated IKEv1 key exchange and can enable man-in-the-middle (MitM) interference on site-to-site VPN communications under specific conditions. While not yet observed in active exploitation, customers are urged to apply updates proactively.
CVE Description CVSS Affected Products In the Wild
CVE-2026-50751 Auth bypass via IKEv1 certificate validation flaw 9.3 Mobile Access/SSL VPN, Remote Access VPN, Spark Firewall YES
CVE-2026-50752 MitM condition in IKEv1 certificate validation 7.4 Security Gateways, Spark Firewall NO
Indicators of Compromise (IOCs)
Malicious IPs:
45.77.149[.]152, 209.182.225[.]136, 38.60.157[.]139, 162.33.177[.]101, 45.76.26[.]42
144.208.127[.]155, 38.54.88[.]201, 38.54.107[.]167, 66.42.99[.]200
File Hashes (MD5):
52fda5c1b9704544f32ee98d9060e689
51d39aa39478beeac94f2d12f682ecce
Mitigations
Check Point strongly urges all customers on affected versions to immediately apply the released hotfix for their Security Gateways. Organizations unable to patch instantly should take the following interim steps:
Remove support for legacy remote access clients.
Configure Remote Access VPN Authentication to IKEv2 only.
Set Machine Certificate Authentication as mandatory.
Enable IPS and download the latest signatures.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
vulnerability
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
Trending News
Bots Surpass Humans in Global Web Traffic for the First Time in Internet History
OWASP CVE Lite CLI – New Tool to Scan for Vulnerabilities in Your Projects
Microsoft Edge Vulnerability Allows Remote Attackers to Execute Arbitrary Code
Russia Says Foreign Spyware Found on High-Ranking Officials’ Mobile Phones
New Gafgyt Variant Targets Multiple Linux Architectures With Modular Propagation
Latest News
Cyber Security News
New Pink Hacking Group Attacking Enterprise Users to Steal Cloud Storage Passwords
Cyber Security News
Malspam Attack Uses Google DoubleClick Redirects to Deliver Fileless .NET Loader
Cyber Security News
UNC3753 Attacking US Law Firms Using Vishing and RMM Tools to Exfiltrate Data
Cyber Security News
New Lucid Stealer Targets 18 Browsers, Crypto Wallets, and Discord Tokens With Hidden Remote Access
Cyber Security
WhatsApp Disrupts NSO-Linked Cyberattack Targeting Users with Pegasus Spyware