Check Point VPN Zero-Day CVE‑2026‑50751 Weaponized by Qilin Ransomware Group

Incident Overview

On June 4, 2026 Check Point’s security team detected anomalous activity and began an urgent investigation. The earliest known wild exploitation dates back to May 7, giving attackers a full month ahead of the patch.

The primary vulnerability is CVE‑2026‑50751 (CVSS 9.3), an authentication‑bypass flaw in the deprecated IKEv1 protocol that allows establishing a remote‑access VPN session without a valid password. During the same analysis Check Point’s AI‑driven code‑security platform BLAST uncovered a second issue, CVE‑2026‑50752 (CVSS 7.4), which could enable a man‑in‑the‑middle attack on site‑to‑site VPNs; no wild exploitation has been observed.

Technical Analysis

Vulnerability Details

The root cause is a logic defect in the IKEv1 fallback functionality. Although IKEv1 is officially deprecated by the IETF, many Check Point gateways retain a fallback option for legacy clients.

Exploitation requires four conditions to be met simultaneously:

Remote‑access or mobile‑access VPN feature is enabled.

IKEv1 key‑exchange is enabled for legacy client compatibility.

The gateway accepts connections from legacy remote‑access clients.

The gateway does not require machine‑certificate authentication.

When all four are present, an attacker can complete the certificate‑validation flow and create a valid VPN session without any password.

Note: Obtaining a VPN session does not automatically grant internal network access; further post‑authentication steps are needed.

Affected Versions

Security Gateways R82.10 – JHF Take 19 and earlier – Update required

Security Gateways R82 – JHF Take 103 and earlier – Update required

Security Gateways R81.20 – JHF Take 141 and earlier – Update required

Security Gateways R81.10 – All versions – End‑of‑Support, migrate

Security Gateways R81 – All versions – End‑of‑Support, migrate

Security Gateways R80.40 – All versions – End‑of‑Support, migrate

Spark Firewall R81.10.X – Affected – Update required

Spark Firewall R82.00.X – Affected – Update required

Spark Firewall R80.20.X – All versions – End‑of‑Support, migrate

EOS (End of Support) versions have no official patches and must be migrated immediately.

Qilin Ransomware Group

Qilin operates as Ransomware‑as‑a‑Service since August 2022 and has compromised roughly 400 victims. Notable incidents include Synnovis, Nissan Australia design studio, Asahi Beer Japan, Lee Enterprises, Australian court services, and Yanfeng.

VPS geographic alignment: Using VPS located in the same region as the target (e.g., Taiwanese VPS for Taiwanese victims).

VPS providers: Kaupo Cloud HK, Shock Hosting, Vultr Holdings.

Communication: Tox protocol for anonymous channels.

Data exfiltration: Open‑source tool Rclone to upload stolen data.

Lateral expansion: Infrastructure also used to exploit VPN flaws in Palo Alto, Fortinet, and F5.

CVE‑2026‑50752 – AI‑discovered second flaw

During the deep dive on CVE‑2026‑50751, Check Point’s BLAST platform identified CVE‑2026‑50752, another IKEv1 certificate‑validation flaw that could enable a man‑in‑the‑middle attack on site‑to‑site VPNs. No wild exploitation evidence yet, underscoring the value of AI‑assisted code review.

Attack Timeline

May 7 2026 – First known wild exploitation.

May – early June 2026 – Qilin continuously used the IKEv1 bypass for initial access.

June 4 2026 – Check Point detected anomalies and launched investigation.

Early June 2026 – Exploitation attempts surged.

June 8 2026 – Check Point issued emergency advisory and patches.

Attackers were a month ahead of the official patch. Incident response teams should start forensic log review and configuration audits from May 7.

Indicators of Compromise (IOCs)

Attacker IPs

45.77.149.152
209.182.225.136
38.60.157.139
162.33.177.101
45.76.26.42
144.208.127.155
38.54.88.201
38.54.107.167
66.42.99.200

Malicious File Hashes

52fda5c1b9704544f32ee98d9060e689
51d39aa39478beeac94f2d12f682ecce

Remediation and Mitigation

Immediate Actions (Highest Priority)

Apply the official patches (see Check Point advisory SK185033).

Disable IKEv1 support. If patching is not possible, reconfigure:

Remove support for legacy remote‑access clients.

Set global VPN authentication to IKEv2 only.

Enforce machine‑certificate authentication.

Enable IPS and update signatures.

Forensic investigation:

Audit VPN logs from May 7 onward.

Search for the listed IPs and file hashes.

Identify anomalous VPN sessions: unexpected geography, off‑hours, password‑less authentication.

Migrate EOS devices (R81.10, R81, R80.40, R80.20.X) to supported versions immediately.

Specific Risks for Domestic Enterprises

Higher‑risk factors include:

Legacy clients retaining IKEv1 fallback.

Machine‑certificate authentication not enforced.

Continued operation of EOS versions.

Large VPN exposure due to pervasive remote‑work.

Self‑check command: Verify that none of the four conditions for CVE‑2026‑50751 are present in the gateway configuration.

References

Check Point official security advisory https://blog.checkpoint.com/security/check-point-releases-important-hotfix-for-vulnerabilities-in-deprecated-ikev1-vpn-protocol/

Check Point Knowledge Base SK185033 (patch guidance) https://support.checkpoint.com/results/sk/sk185033

Check Point Knowledge Base SK185035 (CVE‑2026‑50752) https://support.checkpoint.com/results/sk/sk185035

Help Net Security report https://www.helpnetsecurity.com/2026/06/08/check-point-cve-2026-50751-qilin-ransomware/

BleepingComputer in‑depth coverage https://www.bleepingcomputer.com/news/security/check-point-links-vpn-zero-day-attacks-to-qilin-ransomware-gang/

The Hacker News technical analysis https://thehackernews.com/2026/06/critical-check-point-vpn-flaw-exploited.html

Ctrl‑Alt‑Intel Qilin research report https://ctrlaltintel.com/research/Qilin/