CISA Warns of Check Point Security Gateway Vulnerability Actively Exploited in Ransomware Attacks
Cybersecurity NewsArchived Jun 11, 2026✓ Full text saved
CISA has added a critical vulnerability in Check Point Security Gateway to its Known Exploited Vulnerabilities (KEV) catalog, warning that threat actors are actively exploiting the flaw in ransomware campaigns. The vulnerability, tracked as CVE-2026-50751, allows unauthenticated remote attackers to bypass user authentication and establish unauthorized VPN connections, posing severe risks to enterprise networks worldwide. […] The post CISA Warns of Check Point Security Gateway Vulnerability Activ
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security
CISA Warns of Check Point Security Gateway Vulnerability Actively Exploited in Ransomware Attacks
By Guru Baran
June 11, 2026
CISA has added a critical vulnerability in Check Point Security Gateway to its Known Exploited Vulnerabilities (KEV) catalog, warning that threat actors are actively exploiting the flaw in ransomware campaigns.
The vulnerability, tracked as CVE-2026-50751, allows unauthenticated remote attackers to bypass user authentication and establish unauthorized VPN connections, posing severe risks to enterprise networks worldwide.
CVE-2026-50751 is an improper authentication vulnerability (CWE-287) residing in the IKEv1 (Internet Key Exchange version 1) key exchange protocol implemented in Check Point Security Gateway.
The flaw enables an unauthenticated remote attacker to bypass standard user authentication mechanisms and establish a remote access VPN tunnel without supplying a valid user password.
IKEv1 is a deprecated protocol used to negotiate and establish IPsec VPN sessions. Despite its legacy status, many organizations continue running it in production environments, a security risk that threat actors are now actively weaponizing.
Successful exploitation gives attackers a foothold directly inside the target network perimeter, effectively neutralizing the gateway’s role as a security boundary.
Active Exploitation and Ransomware Campaigns
CISA added CVE-2026-50751 to the KEV catalog on June 8, 2026, with a mandatory remediation due date of June 11, 2026, for all federal civilian executive branch (FCEB) agencies.
Critically, CISA confirmed the vulnerability is known to be used in ransomware campaigns, elevating the urgency for all organizations, not just federal agencies, to act immediately.
The ability to silently authenticate into a VPN without credentials makes this flaw particularly dangerous as an initial access vector. Ransomware operators routinely target VPN gateways as entry points, enabling lateral movement, data exfiltration, and eventual payload deployment across compromised networks.
The vulnerability affects Check Point Security Gateway products running the IKEv1 protocol for remote access VPN. Organizations using these gateways with IKEv1 enabled are directly at risk. An attacker exploiting this flaw could:
Bypass multi-factor and password-based authentication entirely
Establish persistent VPN access to internal network segments
Move laterally to high-value targets including domain controllers and data repositories
Deploy ransomware or exfiltrate sensitive data without triggering standard authentication alerts
Mitigations
Check Point has released an official hotfix addressing the vulnerability in deprecated IKEv1 VPN protocol implementations. CISA recommends that organizations take the following steps immediately:
Apply vendor-issued mitigations per the guidance published in Check Point’s security advisory and support article SK185033
Follow BOD 22-01 guidance for cloud-based deployments of affected products
Discontinue use of the product if vendor mitigations cannot be applied in a timely manner
Disable IKEv1 where it is not explicitly required, and migrate to IKEv2 as the modern, supported alternative
Organizations should also audit VPN authentication logs for anomalous connection attempts that lack corresponding valid credential events, a potential indicator of prior exploitation.
This disclosure underscores the persistent risk posed by legacy protocol support in enterprise security products. VPN gateways are high-value targets precisely because compromising them grants attackers authenticated-looking network access.
Security teams should treat this patch as a critical priority and verify hotfix deployment across all gateway instances before the CISA-mandated deadline.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
Trending News
How Threat Intelligence Feeds Help Automate SOCs to Reduce MTTR
New Magecart Attack Turns Stripe into a Malware Command Server
Malspam Attack Uses Google DoubleClick Redirects to Deliver Fileless .NET Loader
Agentic AI Red Teaming Reveals Zero-Click Human-in-the-Loop Bypass Attack Chains
Chinese APT VerdantBamboo Uses BRICKSTORM Malware to Compromise Firewalls and Appliances
Latest News
Cyber Security News
Hackers Use BLUERABBIT Backdoor to Encrypt Files and Wipe Disks Across Windows Systems
Cyber Security News
Hackers Abuse Residential Proxy Networks to Hide Malicious Activity and Evade Detection
Cyber Security News
Cybercriminals Abuse Chinese-Language Guarantee Marketplaces to Trade Stolen Credentials
Cyber Security News
Ivanti Command Injection Vulnerability Exploited in Attacks Following PoC Release
Cyber Security News
PoC Exploit Released for Guest-to-Host Escape Linux Kernel Vulnerability