CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ⬡ Vulnerabilities & CVEs Jun 24, 2026

Critical Check Point VPN Flaw Exploited to Bypass Passwords in IKEv1 Setups - The Hacker News

The Hacker News Archived Jun 24, 2026 ✓ Full text saved

Critical Check Point VPN Flaw Exploited to Bypass Passwords in IKEv1 Setups The Hacker News

Full text archived locally
✦ AI Summary · Claude Sonnet


    Critical Check Point VPN Flaw Exploited to Bypass Passwords in IKEv1 Setups Ravie LakshmananJun 08, 2026Vulnerability / Network Security Check Point has warned of active exploitation of a critical vulnerability impacting Remote Access VPN and Mobile Access deployments that are configured to use the deprecated IKEv1 key exchange protocol. The vulnerability, tracked as CVE-2026-50751 (CVSS score: 9.3), is a case of a logic flow weakness in certificate validation that allows an unauthenticated remote attacker to bypass user authentication and establish a remote access VPN connection without a valid user password. "By exploiting a logic flaw in certificate validation, an attacker can establish a VPN session without possession of a valid password, effectively bypassing authentication requirements," Check Point said. "Additional post-authentication activity is required to access internal resources or escalate privileges." The shortcoming impacts the following products and versions - Security Gateways R82.10 Jumbo Hotfix Take 19 or below, R82 Jumbo Hotfix Take 103 or below, R81.20 Jumbo Hotfix Take 141 or below, R81.10 (EOS), R81 (EOS), and R80.40 (EOS) Spark Firewalls: R80.20.X (EOS), R81.10.X, and R82.00.X Successful exploitation requires the following conditions to be met - VPN Remote Access or Mobile Access is enabled IKEv1 is enabled for remote access Gateways accept legacy Remote Access clients Gateways do not demand a machine certificate for connections The Israeli cybersecurity company said it first observed indications of suspicious activity on June 4, 2026, with the earliest observed exploitation dating back to May 7, 2026. Exploitation efforts are said to have ramped up starting this month. The exploitation activity, Check Point added, has been limited to a "few dozen targeted organizations globally." In one case, the post-exploitation phase has been associated with a Qilin ransomware affiliate. "We believe that this threat actor infrastructure is exploiting other VPN related vulnerabilities such as the ones published by Palo Alto [Networks], Fortinet, and F5," it noted. "We identified indicators suggesting the actor may use the Tox protocol for communication, a pattern commonly associated with financially motivated ransomware actors." A key aspect is the use of a virtual private server (VPS) infrastructure to conduct the attacks. Specifically, this involves relying on VPS servers geolocated to a particular country to target organizations within its borders. Once access was established, the attackers were found attempting to download malicious ELF files from actor-controlled infrastructure. Some aspects of these efforts overlap with a report from Ctrl-Alt-Intel last month, which highlighted the ransomware crew's abuse of corporate VPN appliances for initial access. "To the best of our knowledge to date, there is no indication the vulnerability was broadly available to other threat actors," Check Point Research told The Hacker News via email. "The activity is clearly opportunistic and targets vulnerable organizations rather than characterized one." Further review of the affected VPN components has uncovered a second vulnerability, CVE-2026-50752 (CVSS score: 7.40), which may allow an adversary-in-the-middle (AitM) attack on VPN site-to-site connections. There is no evidence the flaw has been exploited in real-world attacks. Update The U.S. Cybersecurity and Infrastructure Security Agency (CISA), on June 8, 2026, added CVE-2026-50751 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by June 11, 2026. In a follow-up analysis published on June 12, 2026, watchTowr Labs researcher McCaulay Hudson said the vulnerability allows a connecting client to manipulate authentication flags via a custom VPNExtFeatures Vendor ID payload during IKEv1 negotiation, which could then be escalated into a full authentication bypass. "The vulnerable iked skips verify_peer_auth/verifyMessagePhase1 (it reads attacker-controlled flags from the VPNExtFeatures Vendor ID, bit 0x4), so neither the certificate's signature (proof of possession) NOR its trust chain is checked -- only that the subject DN [Distinguished Name] resolves to a provisioned user," Hudson said. "We forge a self-signed certificate whose subject is CN=<username>,OU=<ou>,O=<ICA-O> (the ICA organisation is the gateway's own, auto-derived from its public TLS certificate) and present it with an invalid signature. A granted phase-1 means the gateway has authenticated us AS that user (it saves the ISAKMP SA under the user's DN) with no private key and no password." (The story was updated after publication to include a response from Check Point Research and CISA's addition of the flaw to the KEV catalog.) Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Authentication bypass, Check Point, cybersecurity, network security, Qilin, ransomware, VPN, Vulnerability ⚡ Top Stories This Week Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code ThreatsDay Bulletin: Worm Code Leaked, AI Agent Phished, Claude Code Patch + 28 New Stories Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade Anthropic Releases Claude Fable 5, Its Most Powerful AI Yet, With Cyber Safeguards ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities Load More ▼ ⭐ Featured Resources Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check [Watch Demo] See Which Security Gaps Attackers Could Exploit First Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown
    💬 Team Notes
    Article Info
    Source
    The Hacker News
    Category
    ⬡ Vulnerabilities & CVEs
    Published
    Jun 24, 2026
    Archived
    Jun 24, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗