Check Point Patches Critical Zero-Day Exploited in VPN Attacks Linked to Qilin Ransomware
Israeli cybersecurity firm Check Point has released urgent security updates to address a critical authentication bypass vulnerability (CVE-2026-50751) in its Remote Access VPN and Mobile Access deployments. The flaw, actively exploited in zero-day attacks since May 7, allows unauthenticated remote attackers to bypass authentication on vulnerable systems, including Mobile Access/SSL VPNs, Remote Access VPNs, and Spark firewalls.
The vulnerability affects only deployments using the deprecated IKEv1 key exchange protocol, specifically those configured to accept legacy Remote Access clients without requiring machine certificate authentication. Exploitation surged in early June, impacting a few dozen organizations globally, with at least one confirmed case tied to the Qilin ransomware operation.
Check Point’s investigation also uncovered a second flaw (CVE-2026-50752), which enables man-in-the-middle attacks on site-to-site VPN connections due to improper certificate validation in IKEv1. While no active exploitation of CVE-2026-50752 has been observed, the company urges immediate patching to prevent potential exposure.
For organizations unable to patch immediately, Check Point recommends disabling IKEv1 support, enforcing IKEv2-only authentication, mandating machine certificate authentication, and enabling IPS with updated signatures.
Qilin, a Ransomware-as-a-Service (RaaS) group active since August 2022, has claimed nearly 400 victims via its dark web leak site, targeting high-profile entities such as Nissan, Asahi, Lee Enterprises, Synnovis, and Australia’s Court Services Victoria. The group’s involvement in the Check Point VPN attacks underscores the growing threat of ransomware actors exploiting critical infrastructure vulnerabilities.
Nissan Motor Corporation cybersecurity rating report: https://www.rankiteo.com/company/nissan-motor-corporation
Check Point Software cybersecurity rating report: https://www.rankiteo.com/company/check-point-software-technologies
Harcourts Real Estate cybersecurity rating report: https://www.rankiteo.com/company/harcourts
"id": "NISCHEHAR1780929039",
"linkid": "nissan-motor-corporation, check-point-software-technologies, harcourts",
"type": "Vulnerability",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'location': 'Global',
'name': 'Check Point customers (few dozen '
'organizations globally)',
'type': 'Organizations'}],
'attack_vector': 'Remote Access VPN, Mobile Access/SSL VPN, Spark firewalls',
'date_detected': '2026-05-07',
'description': 'Israeli cybersecurity firm Check Point has released urgent '
'security updates to address a critical authentication bypass '
'vulnerability (CVE-2026-50751) in its Remote Access VPN and '
'Mobile Access deployments. The flaw, actively exploited in '
'zero-day attacks since May 7, allows unauthenticated remote '
'attackers to bypass authentication on vulnerable systems, '
'including Mobile Access/SSL VPNs, Remote Access VPNs, and '
'Spark firewalls. The vulnerability affects only deployments '
'using the deprecated IKEv1 key exchange protocol, '
'specifically those configured to accept legacy Remote Access '
'clients without requiring machine certificate authentication. '
'Exploitation surged in early June, impacting a few dozen '
'organizations globally, with at least one confirmed case tied '
'to the Qilin ransomware operation. Check Point’s '
'investigation also uncovered a second flaw (CVE-2026-50752), '
'which enables man-in-the-middle attacks on site-to-site VPN '
'connections due to improper certificate validation in IKEv1.',
'impact': {'systems_affected': 'Remote Access VPN, Mobile Access/SSL VPN, '
'Spark firewalls'},
'initial_access_broker': {'entry_point': 'Remote Access VPN/Mobile Access '
'deployments using IKEv1'},
'investigation_status': 'Ongoing',
'motivation': 'Ransomware, Data Exfiltration',
'post_incident_analysis': {'corrective_actions': 'Patching, disabling IKEv1, '
'enforcing IKEv2, mandating '
'machine certificates, '
'enabling IPS',
'root_causes': 'Use of deprecated IKEv1 protocol '
'without machine certificate '
'authentication, improper '
'certificate validation in IKEv1'},
'ransomware': {'data_exfiltration': "Possible (based on Qilin's typical "
'tactics)',
'ransomware_strain': 'Qilin'},
'recommendations': 'Immediate patching, disabling IKEv1 support, enforcing '
'IKEv2-only authentication, mandating machine certificate '
'authentication, enabling IPS with updated signatures',
'references': [{'source': 'Check Point Security Advisory'}],
'response': {'containment_measures': 'Disabling IKEv1 support, enforcing '
'IKEv2-only authentication, mandating '
'machine certificate authentication, '
'enabling IPS with updated signatures',
'enhanced_monitoring': 'IPS with updated signatures',
'remediation_measures': 'Security updates/patches released'},
'threat_actor': 'Qilin Ransomware Group',
'title': 'Check Point Patches Critical Zero-Day Exploited in VPN Attacks '
'Linked to Qilin Ransomware',
'type': 'Zero-Day Exploitation',
'vulnerability_exploited': ['CVE-2026-50751', 'CVE-2026-50752']}