CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ⬡ Vulnerabilities & CVEs Jun 24, 2026

CISA Warns of Check Point Security Gateway Vulnerability Actively Exploited in Ransomware Attacks - CyberSecurityNews

CyberSecurityNews Archived Jun 24, 2026 ✓ Full text saved

CISA Warns of Check Point Security Gateway Vulnerability Actively Exploited in Ransomware Attacks CyberSecurityNews

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security CISA Warns of Check Point Security Gateway Vulnerability Actively Exploited in Ransomware Attacks By Guru Baran June 11, 2026 CISA has added a critical vulnerability in Check Point Security Gateway to its Known Exploited Vulnerabilities (KEV) catalog, warning that threat actors are actively exploiting the flaw in ransomware campaigns. The vulnerability, tracked as CVE-2026-50751, allows unauthenticated remote attackers to bypass user authentication and establish unauthorized VPN connections, posing severe risks to enterprise networks worldwide. CVE-2026-50751 is an improper authentication vulnerability (CWE-287) residing in the IKEv1 (Internet Key Exchange version 1) key exchange protocol implemented in Check Point Security Gateway. The flaw enables an unauthenticated remote attacker to bypass standard user authentication mechanisms and establish a remote access VPN tunnel without supplying a valid user password. IKEv1 is a deprecated protocol used to negotiate and establish IPsec VPN sessions. Despite its legacy status, many organizations continue running it in production environments, a security risk that threat actors are now actively weaponizing. Successful exploitation gives attackers a foothold directly inside the target network perimeter, effectively neutralizing the gateway’s role as a security boundary. Active Exploitation and Ransomware Campaigns CISA added CVE-2026-50751 to the KEV catalog on June 8, 2026, with a mandatory remediation due date of June 11, 2026, for all federal civilian executive branch (FCEB) agencies. Critically, CISA confirmed the vulnerability is known to be used in ransomware campaigns, elevating the urgency for all organizations, not just federal agencies, to act immediately. The ability to silently authenticate into a VPN without credentials makes this flaw particularly dangerous as an initial access vector. Ransomware operators routinely target VPN gateways as entry points, enabling lateral movement, data exfiltration, and eventual payload deployment across compromised networks. The vulnerability affects Check Point Security Gateway products running the IKEv1 protocol for remote access VPN. Organizations using these gateways with IKEv1 enabled are directly at risk. An attacker exploiting this flaw could: Bypass multi-factor and password-based authentication entirely Establish persistent VPN access to internal network segments Move laterally to high-value targets including domain controllers and data repositories Deploy ransomware or exfiltrate sensitive data without triggering standard authentication alerts Mitigations Check Point has released an official hotfix addressing the vulnerability in deprecated IKEv1 VPN protocol implementations. CISA recommends that organizations take the following steps immediately: Apply vendor-issued mitigations per the guidance published in Check Point’s security advisory and support article SK185033 Follow BOD 22-01 guidance for cloud-based deployments of affected products Discontinue use of the product if vendor mitigations cannot be applied in a timely manner Disable IKEv1 where it is not explicitly required, and migrate to IKEv2 as the modern, supported alternative Organizations should also audit VPN authentication logs for anomalous connection attempts that lack corresponding valid credential events, a potential indicator of prior exploitation. This disclosure underscores the persistent risk posed by legacy protocol support in enterprise security products. VPN gateways are high-value targets precisely because compromising them grants attackers authenticated-looking network access. Security teams should treat this patch as a critical priority and verify hotfix deployment across all gateway instances before the CISA-mandated deadline. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Node.js Fixes 12 Vulnerabilities, Including 2 High-Severity Authentication Bypasses LastPass Customer Data Exposed in Klue Supply Chain Attack AutoJack – A Single Web Page Can Hijack Your AI Agent to Execute Malicious Code PoC Exploit Released for libssh2 Remote Code Execution Vulnerability Hackers Abuse Compromised M365 Accounts to Scale CodeStorm Phishing Operations Latest News Cyber Security Authorities Disrupt Stealer Malware StealC and Amadey Infrastructure in Global Operation Cyber Security News Fake Income Tax Assessment Notice Delivers RAT-Like Malware to Windows Users Cyber Security News PoC Exploit Released for Microsoft Exchange Server Elevation of Privilege Vulnerability Cyber Security News Laravel Livewire Applications Compromised to Steal Credentials Exploiting RCE Vulnerability Cyber Security News Critical Webmin Vulnerabilities Allow Attackers to Impersonate as Any User
    💬 Team Notes
    Article Info
    Source
    CyberSecurityNews
    Category
    ⬡ Vulnerabilities & CVEs
    Published
    Jun 24, 2026
    Archived
    Jun 24, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗