CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 08, 2026

Check Point VPN 0-day Vulnerability Exploited in the Wild to Deploy Ransomware

Cybersecurity News Archived Jun 08, 2026 ✓ Full text saved

Check Point Research has uncovered active exploitation of CVE-2026-50751, a critical authentication bypass vulnerability (CVSS 9.3) in Check Point Remote Access VPN and Mobile Access deployments, with confirmed post-compromise activity linked to the Qilin ransomware gang. CVE-2026-50751 targets deployments configured to use the deprecated IKEv1 key exchange protocol. By exploiting a logic flaw in certificate […] The post Check Point VPN 0-day Vulnerability Exploited in the Wild to Deploy Ransomw

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security Check Point VPN 0-day Vulnerability Exploited in the Wild to Deploy Ransomware By Guru Baran June 8, 2026 Check Point Research has uncovered active exploitation of CVE-2026-50751, a critical authentication bypass vulnerability (CVSS 9.3) in Check Point Remote Access VPN and Mobile Access deployments, with confirmed post-compromise activity linked to the Qilin ransomware gang. CVE-2026-50751 targets deployments configured to use the deprecated IKEv1 key exchange protocol. By exploiting a logic flaw in certificate validation, an unauthenticated remote attacker can establish a VPN session without a valid user password, effectively bypassing all authentication requirements. The flaw affects Mobile Access / SSL VPN, Remote Access VPN, and Spark Firewall products across versions R80.20.X through R82.10. While initial access is gained through the bypass, additional post-authentication steps are required to access internal resources or escalate privileges. Check Point Research launched its investigation on June 4, 2026, following indications of suspicious activity, tracing exploitation attempts back to May 7, 2026. Exploitation attempts escalated sharply in early June 2026, targeting a few dozen organizations globally. Incident response teams should prioritize forensic log audits and configuration reviews beginning from the earliest observed exploitation date. The threat actor is assessed with medium confidence to be financially motivated, leveraging Qilin Linux ransomware binaries and attempting to download malicious ELF files from actor-controlled infrastructure. The actor likely uses the Tox protocol for command-and-control communication, a pattern commonly associated with ransomware operators, and is believed to be simultaneously exploiting VPN vulnerabilities disclosed by Palo Alto, Fortinet, and F5. Attacker infrastructure was hosted across Kaupo Cloud HK, Shock Hosting, and Vultr Holdings, with VPS geolocation correlated to victim geography in several cases. Second Vulnerability – CVE-2026-50752 During the CVE-2026-50751 investigation, Check Point’s agentic AI code security platform BLAST identified a related flaw: CVE-2026-50752 (CVSS 7.4). This vulnerability impacts certificate validation in the deprecated IKEv1 key exchange and can enable man-in-the-middle (MitM) interference on site-to-site VPN communications under specific conditions. While not yet observed in active exploitation, customers are urged to apply updates proactively. CVE Description CVSS Affected Products In the Wild CVE-2026-50751 Auth bypass via IKEv1 certificate validation flaw 9.3 Mobile Access/SSL VPN, Remote Access VPN, Spark Firewall YES CVE-2026-50752 MitM condition in IKEv1 certificate validation 7.4 Security Gateways, Spark Firewall NO Indicators of Compromise (IOCs) Malicious IPs: 45.77.149[.]152, 209.182.225[.]136, 38.60.157[.]139, 162.33.177[.]101, 45.76.26[.]42 144.208.127[.]155, 38.54.88[.]201, 38.54.107[.]167, 66.42.99[.]200 File Hashes (MD5): 52fda5c1b9704544f32ee98d9060e689 51d39aa39478beeac94f2d12f682ecce Mitigations Check Point strongly urges all customers on affected versions to immediately apply the released hotfix for their Security Gateways. Organizations unable to patch instantly should take the following interim steps: Remove support for legacy remote access clients. Configure Remote Access VPN Authentication to IKEv2 only. Set Machine Certificate Authentication as mandatory. Enable IPS and download the latest signatures. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news vulnerability Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Bots Surpass Humans in Global Web Traffic for the First Time in Internet History OWASP CVE Lite CLI – New Tool to Scan for Vulnerabilities in Your Projects Microsoft Edge Vulnerability Allows Remote Attackers to Execute Arbitrary Code Russia Says Foreign Spyware Found on High-Ranking Officials’ Mobile Phones New Gafgyt Variant Targets Multiple Linux Architectures With Modular Propagation Latest News Cyber Security News New Pink Hacking Group Attacking Enterprise Users to Steal Cloud Storage Passwords Cyber Security News Malspam Attack Uses Google DoubleClick Redirects to Deliver Fileless .NET Loader Cyber Security News UNC3753 Attacking US Law Firms Using Vishing and RMM Tools to Exfiltrate Data Cyber Security News New Lucid Stealer Targets 18 Browsers, Crypto Wallets, and Discord Tokens With Hidden Remote Access Cyber Security WhatsApp Disrupts NSO-Linked Cyberattack Targeting Users with Pegasus Spyware
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 08, 2026
    Archived
    Jun 08, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗