CVE-2026-50751 lets attackers bypass VPN authentication without passwords via IKEv1 flaw; CISA added it to KEV, hotfixes released 8 June.
Check Point Software has issued an urgent warning about active exploitation of a critical vulnerability in its VPN and mobile access products. The flaw, identified as CVE-2026-50751 with a CVSS score of 9.3, enables unauthenticated attackers to bypass user authentication entirely and establish VPN connections without valid passwords.
The vulnerability stems from a logic flow weakness in certificate validation during the deprecated IKEv1 key exchange protocol. According to the firm, “an attacker can establish a VPN session without possession of a valid password, effectively bypassing authentication requirements,” although additional post-authentication activity remains necessary to access internal resources or escalate privileges.
The affected products include Security Gateways R82.10 (Jumbo Hotfix Take 19 or below), R82 (Take 103 or below), R81.20 (Take 141 or below), and older versions R81.10, R81, R80.40, plus Spark Firewalls R80.20.X, R81.10.X, and R82.00.X .
Four specific conditions must exist for successful exploitation:
- VPN Remote Access or Mobile Access must be enabled
- IKEv1 must be enabled for remote access
- Gateways must accept legacy Remote Access clients
- Gateways must not require machine certificates for connections
Suspicious activity was first detected on 4 June 2026, with the earliest exploitation traced back to 7 May 2026. Attacks had surged significantly in early June. The campaign has targeted “a few dozen organizations globally” and remains opportunistic rather than narrowly characterized .
In one confirmed case, post-exploitation activity linked to a Qilin ransomware affiliate deployed ELF payloads using the Tox protocol for command-and-control communication, a pattern typical of financially motivated ransomware operators . Attackers utilized virtual private server infrastructure geolocated to specific countries to target organizations within those borders .
On 8 June 2026, the US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-50751 to its Known Exploited Vulnerabilities catalog, mandating Federal Civilian Executive Branch agencies apply fixes by 11 June 11 2026.
Check Point had released hotfixes on 8 June 2026 and published a security advisory detailing configurations at risk and mitigation strategies. Researchers also discovered a second vulnerability, CVE-2026-50752 (CVSS 7.40), which could enable adversary-in-the-middle attacks on VPN site-to-site connections, although no real-world exploitation has been observed.
