thehackernews.com web signal

Check Point VPN Flaw Exploited by Qilin Ransomware

cybersecurity cybersecurity vpn ransomware enterprise-security

Key insights

  • CVE-2026-50751 scores CVSS 9.3 and lets unauthenticated attackers bypass VPN authentication via a certificate-validation logic flaw when IKEv1 is enabled.
  • A Qilin ransomware affiliate confirmed an intrusion using this bypass, deploying ELF payloads with Tox protocol C2, with earliest exploitation traced to May 7, 2026.
  • Emergency hotfixes cover all affected release trains from R80.40 through R82.10; companion flaw CVE-2026-50752 (CVSS 7.40) was also disclosed with no active exploitation confirmed.

Why this matters

VPN gateways are the authenticated perimeter for enterprise networks, and a CVSS 9.3 bypass requiring no credentials means attackers enter before any access policy fires. The confirmed Qilin ransomware affiliate link shows this has already moved from proof-of-concept to an active intrusion chain, compressing the patch window for every affected organization. Security teams on R80.40 through R82.10 release trains with IKEv1 enabled or legacy Remote Access clients permitted should treat this as an emergency patching event, not a scheduled maintenance item.

Summary

Check Point faces active exploitation of CVE-2026-50751, a CVSS 9.3 authentication bypass in Security Gateway and Spark Firewall products that lets unauthenticated attackers establish full VPN sessions with no valid credentials. The vulnerability is a logic flow weakness in certificate validation, triggered when IKEv1 is enabled and the gateway accepts legacy Remote Access clients. The bypass alone does not immediately expose internal network resources (additional post-authentication steps are required to reach internal systems or escalate privileges), but attackers are already chaining it further. Essentially: (Check Point, Qilin ransomware affiliate) at least one confirmed intrusion has already leveraged this bypass, deploying malicious ELF files and using Tox protocol for C2 communications. - Exploitation traces back to May 7, 2026; Check Point first detected suspicious activity on June 4, 2026. - Scope is currently limited to a few dozen targeted organizations globally, with attackers using VPS infrastructure geolocated to target specific regions. - A companion flaw, CVE-2026-50752 (CVSS 7.40), was found in site-to-site VPN connections with no confirmed real-world exploitation yet. Hotfixes cover all affected releases from R80.40 through R82.10.

Potential risks and opportunities

Risks

  • Unpatched Check Point Security Gateway and Spark Firewall operators on R80.40 through R82.10 face active ransomware deployment chains from Qilin-affiliated actors already using geolocated VPS infrastructure to target organizations.
  • Enterprises running legacy Remote Access clients that cannot quickly disable IKEv1 support may have no short-term mitigation other than gateway isolation, creating operational exposure during any patch window.
  • CVE-2026-50752 (CVSS 7.40) in site-to-site VPN could see exploitation attempts escalate now that attacker attention is focused on Check Point gateway architecture, threatening partner-to-partner network boundaries.

Opportunities

  • Zero-trust network access vendors (Zscaler, Palo Alto Prisma Access, Cloudflare Access) gain immediate sales leverage at Check Point accounts accelerating legacy VPN replacement decisions.
  • Incident response firms with Check Point gateway forensics depth (CrowdStrike, Mandiant) will see rapid demand from the confirmed victim organizations and sector peers conducting threat hunts.
  • Threat intelligence vendors tracking Qilin ransomware infrastructure (Recorded Future, Intel 471) can package high-value advisory bundles around the campaign IOCs including VPS geolocations and Tox C2 indicators.

What we don't know yet

  • Whether the few dozen targeted organizations globally have been individually notified by Check Point or coordinating agencies, and whether a specific sector pattern such as critical infrastructure is visible in the targeting.
  • How the Qilin affiliate obtained knowledge of CVE-2026-50751 before or around public disclosure, whether through independent discovery, a broker, or access to Check Point research.
  • Whether CVE-2026-50752 (CVSS 7.40) in site-to-site VPN shares the same root cause as CVE-2026-50751, and whether exploitation attempts against it have begun since the advisory was published.

Originally reported by thehackernews.com

Read the original article →

Original headline: Check Point Discloses CVE-2026-50751 — CVSS 9.3 VPN Auth Bypass Actively Exploited by Qilin Ransomware Affiliate