Check Point VPN Zero-Day Under Active Exploitation by Ransomware Operators - gbhackers.com
gbhackers.comArchived Jun 10, 2026✓ Full text saved
Check Point VPN Zero-Day Under Active Exploitation by Ransomware Operators gbhackers.com
Full text archived locally
✦ AI Summary· Claude Sonnet
gbhackers.
gbhackers.
Home
Threats
Cyber Attack
Data Breach
Vulnerability
What is
DFIR
Top 10
Follow us On Linkedin
CVE/vulnerabilityCyber Security NewsZero-Day
2 min.Read
Check Point VPN Zero-Day Under Active Exploitation by Ransomware Operators
By Divya
June 9, 2026
Share
Facebook
Twitter
Pinterest
WhatsApp
Check Point has disclosed active in-the-wild exploitation of a critical authentication bypass vulnerability, tracked as CVE-2026-50751, impacting Remote Access VPN and Mobile Access deployments configured with the deprecated IKEv1 key exchange protocol.
The flaw, assigned a CVSS score of 9.3, allows unauthenticated attackers to establish VPN sessions without valid credentials by exploiting a logic flaw in certificate validation.
While initial access does not automatically grant full network control, it enables threat actors to pivot into post-authentication activity, including lateral movement and privilege escalation.
Check Point VPN Zero-Day
According to Check Point Research, exploitation has been observed since at least May 7, 2026, with a noticeable spike in activity in early June.
The campaign appears highly targeted, affecting dozens of organizations globally. In at least one confirmed incident, post-compromise activity was linked to a Qilin ransomware affiliate, suggesting financially motivated threat actors are leveraging the vulnerability as an initial access vector.
Researchers assess with medium confidence that the operators are aligned with ransomware-driven campaigns and may be reusing infrastructure and techniques seen in attacks targeting VPN products from other vendors such as Fortinet, Palo Alto Networks, and F5.
Technically, CVE-2026-50751 stems from improper certificate validation logic within IKEv1-based VPN authentication flows. Attackers can exploit this weakness to bypass password verification entirely and establish a remote VPN session.
This significantly reduces the barrier to entry for attackers, particularly in environments where IKEv1 remains enabled for legacy compatibility. Check Point has emphasized that the vulnerability only affects configurations using IKEv1, which has long been deprecated due to inherent security weaknesses.
During the investigation, Check Point also identified a secondary vulnerability, CVE-2026-50752 (CVSS 7.4), affecting certificate validation in site-to-site VPN connections using IKEv1.
This flaw could allow man-in-the-middle (MitM) attacks under specific conditions. While no active exploitation of CVE-2026-50752 has been observed, its discovery highlights systemic risks associated with legacy cryptographic protocols and reinforces the need for proactive patching.
Threat intelligence indicates that attackers are leveraging VPS infrastructure hosted by providers such as Kaupo Cloud HK, Shock Hosting, and Vultr.
Notably, some attack infrastructure appears geographically aligned with targeted victims, suggesting operational awareness and potential geo-targeting. Additionally, the Tox protocol has been observed for command-and-control communications, a technique commonly used by ransomware groups to evade detection.
Post-exploitation activity includes attempts to deploy Qilin ransomware payloads, particularly Linux ELF binaries retrieved from attacker-controlled servers.
Organizations are strongly advised to apply the latest security updates from Check Point immediately and to turn off IKEv1 wherever possible. Incident response teams should conduct forensic analysis of VPN logs dating back to early May 2026 to identify suspicious authentication events and unauthorized access.
Indicators of Compromise (IOCs)
Type Indicator
IP Address 45.77.149[.]152
IP Address 209.182.225[.]136
IP Address 38.60.157[.]139
IP Address 162.33.177[.]101
IP Address 45.76.26[.]42
IP Address 144.208.127[.]155
IP Address 38.54.88[.]201
IP Address 38.54.107[.]167
IP Address 66.42.99[.]200
MD5 Hash 52fda5c1b9704544f32ee98d9060e689
MD5 Hash 51d39aa39478beeac94f2d12f682ecce
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
TagsCYBER SECURITYCYBER SECURITY NEWSVULNERABILITY
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.
Hot this week
Infosec- Resources
How To Access Dark Web Anonymously and know its Secretive and Mysterious Activities
SOC Architecture
How to Build and Run a Security Operations Center (SOC Guide) – 2023
Cyber Security News
Russian Hackers Bypass EDR to Deliver a Weaponized TeamViewer Component
Checklist
Web Server Penetration Testing Checklist – 2026
Infosec- Resources
ATM Penetration Testing – Advanced Testing Methods to Find The Vulnerabilities
Topics
AcquisitionAdobeAdwareAIAmazonAmazon AWSAMDAndroidAnti VirusAntimalwareANY RUNApacheAPIAppleAPTArtificial IntelligenceAvastAWSAzureBackdoorBitcoinBluetoothBotnetBrowserBuffer over flowBug BountyBusinessChatbotsChatGPTChecklistChromeCiscoCISOCISO AdvisoryCloudCloud SecurityCloudflareComputer SecurityCourseCPUCross site ScriptingcryptocurrencyCryptocurrency hackCVE/vulnerabilityCyber AdvisoryCyber AICyber AttackCyber Crimecyber securityCyber security CourseCyber Security NewsCyber Security ResourcesDark WebData BreachData GovernanceDDOSDealsDeepSeekDiscordDNSDos AttackDriveDropboxEducationEmailEmail SecurityEthical HackingExploitExploitation ToolsExtratorrentsFACEBOOKFeaturedFirefoxFirefox NewsFirewallForensics ToolsgameGenAIGitHubGitLabGmailGoogleGoogle dorksGovernanceGRCHacking BooksHacksHardware HackingHBOHTMLHTTPIBMIISIncident ResponseInformation GatheringInformation Security RisksInfosec- ResourcesInsider ThreatsInstagramIntelMore
Cyber Security News
Windows BitLocker 0-Day Flaw Enables Security Feature Bypass Attacks
Cyber Security News
Windows Defender Zero-Day “RoguePlanet” Lets Attackers Gain SYSTEM Privileges
cyber security
OpenClaw AI Agent Leaks Credentials in Phishing Simulation