CVE-2026-50751 is a CVSS 9.3 authentication bypass in Check Point Security Gateway's IKEv1 implementation. An unauthenticated attacker can skip credential validation entirely and establish a Remote Access VPN session. CISA added it to the Known Exploited Vulnerabilities catalog on June 8 with a three-day federal agency deadline. Rapid7 confirmed active exploitation in the wild, with at least one case involving a Qilin ransomware affiliate. If IKEv1 is still enabled on your Check Point gateway, you are exposed right now.
The vulnerability
IKEv1, the first version of the Internet Key Exchange protocol used to set up IPsec VPN tunnels, has been deprecated for years. Check Point implemented it in their Security Gateway for legacy Remote Access VPN and Mobile Access deployments. CVE-2026-50751 is an improper authentication flaw (CWE-287) in this implementation: the IKEv1 key exchange flow fails to enforce credential checks correctly, allowing an unauthenticated remote attacker to complete the negotiation and establish a VPN session as if they had valid credentials. The attack works remotely, requires no prior access, and leaves the attacker with full VPN-level network access.
Why IKEv1 is still running in production
Deprecated does not mean gone. IKEv1 persists in production for several common reasons: legacy VPN clients that do not support IKEv2, older mobile device management configurations, branch office hardware that was never updated, or simply because no one audited the gateway configuration after the initial setup. In many organizations, VPN protocol settings are treated as infrastructure that was configured once and never revisited. This flaw is what happens when that assumption meets an actively targeted implementation.
Exploitation activity observed by Rapid7 and Check Point Research began on May 7, 2026, and increased sharply in early June. Dozens of organizations were affected before the KEV addition and hotfix became available. The threat actor infrastructure overlaps with campaigns targeting Palo Alto Networks, Fortinet, and F5 VPN vulnerabilities, suggesting this is part of a broader VPN initial-access operation.
The ransomware connection
At least one confirmed post-compromise case involved a Qilin ransomware affiliate. Qilin is a ransomware-as-a-service operation active since 2022, deploying a Rust-based encryptor and using data extortion alongside encryption. VPN initial access is a known Qilin entry vector: once inside the network via a valid-looking VPN session, affiliates move laterally, identify backup systems and domain controllers, and deploy ransomware broadly.
The pattern matters here. VPN authentication bypass provides an attacker with the appearance of a legitimate user session. It often bypasses network segmentation that would block external attackers, and it can evade detection tools that treat VPN traffic as trusted. By the time ransomware deploys, the initial access method may be weeks in the past and difficult to trace without detailed VPN session logging.
Remediation
Apply Check Point's hotfix for CVE-2026-50751 immediately if you have not. If you cannot patch right now, disable IKEv1 on all gateway interfaces. Audit VPN session logs for activity from May 7 onward, looking specifically for sessions authenticated during unexpected hours or from unexpected geographies. Check for lateral movement indicators in the days following any suspicious VPN sessions. If you find evidence of compromise, treat it as a potential ransomware precursor and engage your incident response process before waiting for obvious ransomware indicators.
The durable lesson here is about protocol lifecycle management. IKEv1 has been deprecated since 2014. The fact that it is still enabled in production environments more than a decade later reflects a gap in how organizations track and retire deprecated protocol configurations. A quarterly review of enabled protocols on perimeter devices would catch this class of exposure before a CVSS 9.3 zero-day makes it urgent.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if your organization needs help with VPN security assessment or incident response after a potential VPN-based intrusion.