~/f4n6 $ grep -r "Check Point VPN Zero-Day Exploited in Qilin Ransomware Attacks" ./investigations/ --include="*.md"

Check Point VPN Zero-Day Exploited in Qilin Ransomware Attacks

Jeff Davies 09 Jun 2026 4 min read

Issuer: Adverse Trace Date issued: 2026-06-09 Version: 1.0

1. Executive summary

A critical authentication bypass vulnerability (CVE-2026-50751, CVSS 9.3) in Check Point Remote Access VPN and Mobile Access is being actively exploited in the wild as a zero-day. Exploitation allows unauthenticated attackers to establish VPN sessions without valid credentials, with confirmed linkage to Qilin ransomware affiliates in at least one incident. Activity began on May 7, 2026, and intensified in early June, affecting several dozen organizations globally. EMEA financial institutions utilizing Check Point gateways with deprecated IKEv1 configurations face immediate risk of network perimeter compromise and subsequent data exfiltration or encryption.

2. Regulatory framing

Regulation Article / Requirement Practical Impact for Financial Entities
DORA Art. 17 (Mgmt of ICT Risk) Immediate requirement to identify exposure of Check Point assets and apply vendor hotfixes to mitigate the logic-flow weakness.
DORA Art. 19 (Incident Reporting) If exploitation results in significant operational impact or data breach, major incident reporting timelines (initial 24h) are triggered.
DORA Art. 28-30 (Testing & Resilience) Validates necessity of continuous vulnerability management; failure to patch known exploited vulnerabilities (KEV) may be viewed as negligence in resilience testing.
NIS2 Art. 21(2)(d) Mandates immediate implementation of measures to prevent, detect, and mitigate supply chain and software vulnerabilities.
NIS2 Art. 23 Requires notification to competent authorities if the incident causes significant disruption to essential services.

3. Attack chain

  1. Reconnaissance: Attacker identifies target organizations running Check Point Remote Access VPN or Mobile Access with deprecated IKEv1 key exchange enabled.
  2. Exploitation: Attacker leverages CVE-2026-50751 (logic-flow weakness in certificate validation) to bypass authentication mechanisms.
  3. Access Establishment: Attacker establishes a valid VPN session without providing a user password or valid credentials.
  4. Post-Exploitation: In confirmed cases, the actor deploys Qilin ransomware payloads following network access.

Unconfirmed steps: While Check Point assesses with "medium confidence" that the same threat actor infrastructure is exploiting vulnerabilities in Palo Alto Networks, Fortinet, and F5 products, specific technical linkage or simultaneous exploitation chains involving these vendors have not been publicly confirmed in the provided sources. Additionally, while CVE-2026-50752 (MITM potential) exists in the same codebase, there are no reports of its active exploitation in the wild.

4. Mitigation & containment

P1: Immediate (Within 24h) * Patch Application: Apply Check Point emergency hotfixes for CVE-2026-50751 immediately. This affects Remote Access VPN, Mobile Access, and Spark Firewalls using IKEv1. * Action: Download and install the specific hotfix version released by Check Point on Monday, June 8, 2026, via the Check Point UserCenter. * Configuration Hardening: If immediate patching is not feasible, disable the deprecated IKEv1 key exchange protocol on all Security Gateways and Spark Firewalls. * Command (Gaia OS): Navigate to SmartConsole > Gateway Properties > IPsec VPN > Advanced and ensure only IKEv2 is selected. Alternatively, use CLI: set vpn ike-support ikev2-only (verify exact syntax against current Gaia version documentation). * Network Segmentation: Isolate management interfaces of Check Point gateways from untrusted networks until verification of the patch is complete.

P2: Short-term (Within 72h) * Log Analysis: Review VPN logs for successful connections originating from unexpected IP addresses or occurring outside of business hours, specifically looking for sessions established without standard authentication handshake latency. * Vendor Coordination: Confirm with Check Point support that the applied hotfix version specifically addresses CVE-2026-50751.

P3: Medium-term (Within 7 days) * Audit IKEv1 Usage: Conduct a fleet-wide audit to ensure no legacy systems require IKEv1. If required, implement strict access control lists (ACLs) limiting IKEv1 traffic to known, trusted peer IPs only. * Threat Hunting: Scan endpoints for Qilin ransomware indicators (file extensions, ransom notes) if VPN logs show suspicious successful connections prior to patching.

5. Indicators of compromise

No specific file hashes, IP addresses, domains, or distinctive strings associated with the Qilin payload or the exploit traffic were provided in the source material. The sources confirm the method (CVE-2026-50751) and the actor (Qilin affiliate), but do not list technical IOCs.

No indicators of compromise available in the source material.

6. Detection

Insufficient indicators to author detection rules. The provided sources describe the vulnerability mechanism (logic-flow weakness in certificate validation) and the outcome (authentication bypass), but do not contain specific payload hashes, unique network signatures, mutex names, or ransom note strings required to construct valid YARA or Sigma rules without hallucination.

7. Sources

  • SecurityWeek, "Check Point VPN Zero-Day Exploited in Qilin Ransomware Attacks", https://www.securityweek.com/check-point-vpn-zero-day-exploited-in-qilin-ransomware-attacks/, 2026-06-09.
  • BleepingComputer, "Check Point links VPN zero-day attacks to Qilin ransomware gang", https://www.bleepingcomputer.com/news/security/check-point-links-vpn-zero-day-attacks-to-qilin-ransomware-gang/, 2026-06-09.
  • Dark Reading, "Check Point VPN Flaw Exploited Since Early May", https://www.darkreading.com/vulnerabilities-threats/check-point-vpn-flaw-exploited-early-may, 2026-06-09.
  • Help Net Security, "Qilin ransomware affiliate exploited Check Point VPN zero-day (CVE-2026-50751)", https://www.helpnetsecurity.com/2026/06/08/check-point-cve-2026-50751-qilin-ransomware/, 2026-06-08.
  • BleepingComputer, "CISA gives feds 3 days to patch Check Point VPN bug exploited as zero-day", https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-check-point-flaw-exploited-by-ransomware-gangs/, 2026-06-09.
  • The Register, "Ransomware crims got a month-long head start on Check Point VPN 0-day that now has a fix", https://www.theregister.com/cyber-crime/2026/06/08/attackers-had-month-long-head-start-on-patched-check-point-vpn-zero-day/5252438, 2026-06-08.

8. Adverse Trace position

We assess the severity of CVE-2026-50751 as Critical due to the combination of a high CVSS score (9.3), active zero-day exploitation, and confirmed ransomware deployment (Qilin). The impact on EMEA financial services is high given the widespread deployment of Check Point infrastructure in the sector; the ability to bypass authentication entirely renders perimeter defenses ineffective if IKEv1 is enabled. We expect exploitation attempts to increase as the vulnerability details become public knowledge. Our team will monitor for the release of specific technical IOCs (hashes, IPs) from Check Point or CISA to update detection capabilities immediately. Clients must prioritize patching over all other maintenance windows.

Read the original source →

Published via PulseTrace — Adverse Trace threat intelligence.

Post this to LinkedIn
Formatting is converted automatically — headings, bullets, a link back & hashtags. Paste straight in.
J
Jeff Davies