CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ⬡ Vulnerabilities & CVEs Jun 10, 2026

Check Point VPN Zero-Day Under Active Exploitation by Ransomware Operators - gbhackers.com

gbhackers.com Archived Jun 10, 2026 ✓ Full text saved

Check Point VPN Zero-Day Under Active Exploitation by Ransomware Operators gbhackers.com

Full text archived locally
✦ AI Summary · Claude Sonnet


    gbhackers. gbhackers. Home Threats Cyber Attack Data Breach Vulnerability What is DFIR Top 10 Follow us On Linkedin CVE/vulnerabilityCyber Security NewsZero-Day 2 min.Read Check Point VPN Zero-Day Under Active Exploitation by Ransomware Operators By Divya June 9, 2026 Share Facebook Twitter Pinterest WhatsApp Check Point has disclosed active in-the-wild exploitation of a critical authentication bypass vulnerability, tracked as CVE-2026-50751, impacting Remote Access VPN and Mobile Access deployments configured with the deprecated IKEv1 key exchange protocol. The flaw, assigned a CVSS score of 9.3, allows unauthenticated attackers to establish VPN sessions without valid credentials by exploiting a logic flaw in certificate validation. While initial access does not automatically grant full network control, it enables threat actors to pivot into post-authentication activity, including lateral movement and privilege escalation. Check Point VPN Zero-Day According to Check Point Research, exploitation has been observed since at least May 7, 2026, with a noticeable spike in activity in early June. The campaign appears highly targeted, affecting dozens of organizations globally. In at least one confirmed incident, post-compromise activity was linked to a Qilin ransomware affiliate, suggesting financially motivated threat actors are leveraging the vulnerability as an initial access vector. Researchers assess with medium confidence that the operators are aligned with ransomware-driven campaigns and may be reusing infrastructure and techniques seen in attacks targeting VPN products from other vendors such as Fortinet, Palo Alto Networks, and F5. Technically, CVE-2026-50751 stems from improper certificate validation logic within IKEv1-based VPN authentication flows. Attackers can exploit this weakness to bypass password verification entirely and establish a remote VPN session. This significantly reduces the barrier to entry for attackers, particularly in environments where IKEv1 remains enabled for legacy compatibility. Check Point has emphasized that the vulnerability only affects configurations using IKEv1, which has long been deprecated due to inherent security weaknesses. During the investigation, Check Point also identified a secondary vulnerability, CVE-2026-50752 (CVSS 7.4), affecting certificate validation in site-to-site VPN connections using IKEv1. This flaw could allow man-in-the-middle (MitM) attacks under specific conditions. While no active exploitation of CVE-2026-50752 has been observed, its discovery highlights systemic risks associated with legacy cryptographic protocols and reinforces the need for proactive patching. Threat intelligence indicates that attackers are leveraging VPS infrastructure hosted by providers such as Kaupo Cloud HK, Shock Hosting, and Vultr. Notably, some attack infrastructure appears geographically aligned with targeted victims, suggesting operational awareness and potential geo-targeting. Additionally, the Tox protocol has been observed for command-and-control communications, a technique commonly used by ransomware groups to evade detection. Post-exploitation activity includes attempts to deploy Qilin ransomware payloads, particularly Linux ELF binaries retrieved from attacker-controlled servers. Organizations are strongly advised to apply the latest security updates from Check Point immediately and to turn off IKEv1 wherever possible. Incident response teams should conduct forensic analysis of VPN logs dating back to early May 2026 to identify suspicious authentication events and unauthorized access. Indicators of Compromise (IOCs) Type Indicator IP Address 45.77.149[.]152 IP Address 209.182.225[.]136 IP Address 38.60.157[.]139 IP Address 162.33.177[.]101 IP Address 45.76.26[.]42 IP Address 144.208.127[.]155 IP Address 38.54.88[.]201 IP Address 38.54.107[.]167 IP Address 66.42.99[.]200 MD5 Hash 52fda5c1b9704544f32ee98d9060e689 MD5 Hash 51d39aa39478beeac94f2d12f682ecce Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google. TagsCYBER SECURITYCYBER SECURITY NEWSVULNERABILITY Divya Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world. Hot this week Infosec- Resources How To Access Dark Web Anonymously and know its Secretive and Mysterious Activities SOC Architecture How to Build and Run a Security Operations Center (SOC Guide) – 2023 Cyber Security News Russian Hackers Bypass EDR to Deliver a Weaponized TeamViewer Component Checklist Web Server Penetration Testing Checklist – 2026 Infosec- Resources ATM Penetration Testing – Advanced Testing Methods to Find The Vulnerabilities Topics AcquisitionAdobeAdwareAIAmazonAmazon AWSAMDAndroidAnti VirusAntimalwareANY RUNApacheAPIAppleAPTArtificial IntelligenceAvastAWSAzureBackdoorBitcoinBluetoothBotnetBrowserBuffer over flowBug BountyBusinessChatbotsChatGPTChecklistChromeCiscoCISOCISO AdvisoryCloudCloud SecurityCloudflareComputer SecurityCourseCPUCross site ScriptingcryptocurrencyCryptocurrency hackCVE/vulnerabilityCyber AdvisoryCyber AICyber AttackCyber Crimecyber securityCyber security CourseCyber Security NewsCyber Security ResourcesDark WebData BreachData GovernanceDDOSDealsDeepSeekDiscordDNSDos AttackDriveDropboxEducationEmailEmail SecurityEthical HackingExploitExploitation ToolsExtratorrentsFACEBOOKFeaturedFirefoxFirefox NewsFirewallForensics ToolsgameGenAIGitHubGitLabGmailGoogleGoogle dorksGovernanceGRCHacking BooksHacksHardware HackingHBOHTMLHTTPIBMIISIncident ResponseInformation GatheringInformation Security RisksInfosec- ResourcesInsider ThreatsInstagramIntelMore Cyber Security News Windows BitLocker 0-Day Flaw Enables Security Feature Bypass Attacks Cyber Security News Windows Defender Zero-Day “RoguePlanet” Lets Attackers Gain SYSTEM Privileges cyber security OpenClaw AI Agent Leaks Credentials in Phishing Simulation
    💬 Team Notes
    Article Info
    Source
    gbhackers.com
    Category
    ⬡ Vulnerabilities & CVEs
    Published
    Jun 10, 2026
    Archived
    Jun 10, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗