A threat actor is exploiting a critical vulnerability present in certain versions of Check Point’s Security Gateways and Spark Firewalls, and customers are advised to patch immediately.
Check Point on June 8 disclosed CVE-2026-50751, a critical authentication bypass flaw (9.3 CVSS score) that impacts “Check Point Remote Access VPN and Mobile Access deployments configured to use the deprecated IKEv1 key exchange protocol,” according to a blog post. The flaw was exploited in the wild in recent weeks as a zero-day in attacks against “a few dozen targeted organizations globally,” the vendor said.
Remote Access VPN and Mobile Access are both remote access capabilities generally offered as part of Check Point firewalls. IKEv1 (short for Internet Key Exchange version 1) is a security authentication protocol created in 1998 that is often used to set up authenticated and encrypted VPN tunnels. The protocol has been deprecated for years and other protocols, such as successor IKEv2, are generally recommended.
“By exploiting a logic flaw in certificate validation, an attacker can establish a VPN session without possession of a valid password, effectively bypassing authentication requirements, the blog post read. “Additional post-authentication activity is required to access internal resources or escalate privileges.”
The vulnerability was disclosed alongside another flaw, tracked as CVE-2026-50752, involving a “condition in the certificate validation logic” of IKEv1, which can enable a man-in-the-middle attack on VPN site-to-site connections (7.4 CVSS score).
CVE-2026-50751 is the more notable one of the two at this stage, as it’s under active exploitation. Check Point Research said it confirmed one case where post-exploitation activity was associated with a Qilin ransomware affiliate. The suspected threat actor is financially motivated and “is exploiting other VPN related vulnerabilities such as the ones published by Palo Alto, Fortinet and F5.”
Check Point also identified indications that the attacker may be using Tox for communication, an otherwise legitimate open source peer-to-peer protocol, and that they used dedicated virtual private server (VPS) infrastructure to conduct attacks.
Vulnerable Check Point Customers Should Patch Now
The impacted gateway and firewall versions for both vulnerabilities are identical. They include Security Gateways R82.10 Jumbo Hotfix Take 19 or below; R82 Jumbo Hotfix Take 103 or below; R81.20 Jumbo Hotfix Take 141 or below; R81.10 (end of service); R81 (end of service); and R80.40 (end of service). Also included are Spark Firewalls R80.20.X (EOS); R81.10.X; and R82.00.X.
Check Point urged customers to apply hotfixes as soon as possible. Alternative mitigations, attack identifiers, and more are available in dedicated support pages for CVE-2026-50751 and CVE-2026-50752, respectively. Alternative mitigations generally amount to changing VPN encryption settings to use IKEv2 only; CVE-2026-50751 also offers mitigations involving removing support for legacy Remote Access client connections or by setting the machine certificate authentication as mandatory.
Check Point first identified malicious activity on June 4, and could identify an earliest observed exploitation date of May 7. Based on its observations, however, exploitation increased in early June. Incident response teams should “prioritize forensic log audits and configuration reviews starting from the earliest observed exploitation date of May 7, 2026,” the blog post read.
A spokesperson for Check Point Research tells Dark Reading that, despite the four-week gap, there was no delay in disclosure. The team began to investigate after a “handful” of customers approached the company, and then worked backward. “Most of the attempts were in recent days, not in the weeks before,” the spokesperson adds.
Asked how many of its customers use the IKEv1 protocol, Check Point Research says not many. “The configuration involves legacy features and a deprecated IKEv1 protocol, therefore the number of potentially vulnerable is small. It may be the reason a small number of customers were targeted,” the spokesperson says.

No responses yet