Check Point VPN Zero-Day Exploited by Qilin | Femto Security Threat Intelligence

Key Takeaways

A critical logic flow bypass vulnerability (CVE-2026-50751) allows remote, unauthenticated attackers to bypass certificate validation in deprecated IKEv1 VPN gateways.
Active exploitation has been observed in the wild since May 7, 2026, with some incidents directly linked to Qilin ransomware affiliates.
A secondary vulnerability (CVE-2026-50752) allows man-in-the-middle certificate bypass attacks on legacy site-to-site VPN tunnels.
Immediate remediation requires applying official hotfixes or restricting remote access gateways to IKEv2-only connections and requiring machine certificates.

CVE-2026-50751 Severity Score

Improper Authentication / Logic Flow Bypass (CWE-287) in IKEv1 of Remote Access VPN / Mobile Access blades.

0.0

/ 10.0 cvss

Critical

Disclosure and Exploitation Timeline (2026)

May 7, 2026exploit
Targeted Exploitation Begins
Active targeted exploitation of the IKEv1 logic flow bypass is observed in the wild.
June 8, 2026disclosure
CISA KEV Catalog Inclusion
CISA adds CVE-2026-50751 to its Known Exploited Vulnerabilities catalog.
June 27, 2026patch
Vulnerability Remediation Advisory
Technical analysis and emergency JHA updates details published.

Qilin Ransomware TTP Mapping

Initial Access

T1133

External Remote Services

T1190

Exploit Public-Facing Application

Persistence

T1133

External Remote Services

Command and Control

T1095

Non-Application Layer Protocol

Impact

T1486

Data Encrypted for Impact

Vulnerability & Threat Campaign Indicators

cve
CVE-2026-50751
Critical Remote Access Bypass (CVSS: 9.3)
cve
CVE-2026-50751
Critical Remote Access Bypass (CVSS: 9.3)
cve
CVE-2026-50752
High Site-to-Site Mitigation (CVSS: 7.4)
cve
CVE-2026-50752
High Site-to-Site Mitigation (CVSS: 7.4)
ip
45.77.149.152
Kaupo Cloud HK - Attacker IP
ip
45.77.149.152
Kaupo Cloud HK - Attacker IP
ip
209.182.225.136
Shock Hosting - Attacker IP
ip
209.182.225.136
Shock Hosting - Attacker IP
ip
144.208.127.155
Observed Campaign Attacker IP
ip
144.208.127.155
Observed Campaign Attacker IP
hash
52fda5c1b9704544f32ee98d9060e689
MD5 (Malicious ELF payload)
hash
52fda5c1b9704544f32ee98d9060e689
MD5 (Malicious ELF payload)
hash
76842bcd75b4429e2c92636274ab0395d91c441c6aea9b76fe8a051659b0c1fc
SHA256 (Malicious ELF payload)
hash
76842bcd75b4429e2c92636274ab0395d91c441c6aea9b76fe8a051659b0c1fc
SHA256 (Malicious ELF payload)

Remediation & Hardening Steps

Progress0 / 4 (0%)

Deploy Recommended Jumbo Hotfixes
Install JHA Take 24 (R82.10), Take 107 (R82), or Take 141 (R81.20).
Restrict VPN Settings to IKEv2 Only
Modify settings inside SmartConsole VPN Community properties or Spark WebUI to block IKEv1.
Enforce Machine-Level Certificate Authentication
Mandate valid machine certificates to prevent logic flow user bypasses.
Activate IPS Signatures
Set the 'IKEv1 Remote Access' signature to Prevent policy action.

How to Defend Against Similar Threats

Apply the recommended vendor hotfixes (JHA) for versions R82.10, R82, or R81.20 immediately.
Disable the deprecated IKEv1 protocol and enforce IKEv2-only connections across all VPN gateways and communities.
Configure gateways to mandate valid Machine Certificate Authentication for all inbound remote access VPN connections.
Search SmartConsole logs for certificate logins that occurred without a corresponding multi-factor or password validation event.

Threat Intel FAQ

What is the primary cause of the CVE-2026-50751 zero-day vulnerability?

The vulnerability stems from a logical bypass in the certificate validation process within the legacy IKEv1 key exchange protocol. By sending a custom VPNExtFeatures Vendor ID during negotiation, an unauthenticated attacker forces the gateway to skip certificate checks and accept the connection.

How can I tell if my Check Point security gateways are vulnerable?

Your gateways are vulnerable only if they have Remote Access VPN or Mobile Access enabled, support the deprecated IKEv1 key exchange protocol, accept legacy Remote Access clients, and do not enforce mandatory machine certificate authentication.

Could a similar threat affect your organization?

If your team may be exposed to a similar threat, FemtoSec can help validate blast radius, prioritize remediation, and connect the issue to a practical security program.

Check Point VPN Zero-Day Exploited by Qilin Ransomware

Key Takeaways

How to Defend Against Similar Threats

Threat Intel FAQ

Could a similar threat affect your organization?