On June 8, 2026, CISA added CVE-2026-50751 to the Known Exploited Vulnerabilities catalog with a Federal Civilian Executive Branch remediation deadline of June 22. The vulnerability is a critical authentication bypass in Check Point Remote Access VPN and Mobile Access, with a CVSS score of 9.3. Active exploitation has been confirmed since May 7, more than a month before the public disclosure.
What the vulnerability does
CVE-2026-50751 is classified as improper authentication (CWE-287). The flaw lives in the IKEv1 key exchange component of Check Point's Remote Access VPN and Mobile Access software. During an IKEv1 handshake, the gateway validates client certificates to establish identity before granting VPN access. A logic flaw in this validation process allows an unauthenticated attacker to complete the handshake and establish a fully functional VPN session without providing valid credentials.
No username. No password. No certificate. Full network access.
The affected versions span R80.20.X through R82.10 across Check Point Quantum Security Gateways, Spark Firewalls, and CloudGuard deployments with Remote Access or Mobile Access blades enabled.
A related vulnerability, CVE-2026-50752 (CVSS 7.4), was identified in the same IKEv1 code path and enables man-in-the-middle attacks against site-to-site VPN tunnels under certain configurations.
Who has been exploiting it
Rapid7's Emergency Threat Response team, published June 8, attributes the exploitation with medium confidence to a Qilin ransomware affiliate. The indicators of compromise include Rclone for data exfiltration and the Tox protocol for command-and-control communications, both consistent with Qilin affiliate tooling observed in other campaigns.
Check Point characterizes the campaign as "limited in scope" affecting several dozen organizations, with initial activity confirmed from May 7 and a notable increase in volume in early June. The escalation in June likely corresponds to the vulnerability becoming more widely known in the attacker community ahead of the public disclosure.
What to do
Check Point released a hotfix for CVE-2026-50751. Apply it now.
If patching today is not possible, apply these mitigations in order:
First, disable legacy IKEv1 Remote Access client connections on all gateways. This removes the vulnerable code path entirely for most affected configurations.
Second, require machine certificates for all VPN connections. The vulnerability only works against configurations that do not enforce machine certificate validation.
Third, review your VPN authentication logs for sessions established between May 7 and today. Look for unusual source IPs or connection patterns, particularly sessions that authenticated via IKEv1 without a corresponding certificate validation event.
FCEB agencies must remediate by June 22, 2026 under BOD 22-01. For everyone else, treat this as a patch-this-week item given the active exploitation timeline.
The broader takeaway
IKEv1 is a protocol from 1998 that was deprecated in favor of IKEv2 years ago. Organizations running IKEv1 in production VPN configurations to support legacy clients are carrying unnecessary risk. CVE-2026-50751 is not the first exploited vulnerability in IKEv1 implementations, and it will not be the last.
If this incident is the prompt your team needed to remove IKEv1 support from your perimeter, use it.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if your team needs help assessing VPN and perimeter exposure after this disclosure.