~/f4n6 $ grep -r "CVE-2026-50751 — Check Point Security Gateway: Check Point Security Gateway Improper Authentication Vulnerability" ./investigations/ --include="*.md"

CVE-2026-50751 — Check Point Security Gateway: Check Point Security Gateway Improper Authentication Vulnerability

Jeff Davies 09 Jun 2026 5 min read

Issuer: Adverse Trace Date issued: 2026-06-09 Version: 1.0

1. Executive summary

Check Point has confirmed active exploitation of CVE-2026-50751, a critical improper authentication vulnerability (CVSS 9.3) affecting Remote Access VPN and Mobile Access deployments configured with the deprecated IKEv1 protocol. The flaw allows unauthenticated remote attackers to bypass user password requirements and establish VPN sessions, with observed exploitation dating back to May 7, 2026. At least one incident involves a Qilin ransomware affiliate, though attribution remains at medium confidence. For EMEA financial services, this represents an immediate compliance risk under DORA Article 17 and NIS2 Article 21(2)(d) due to the active threat landscape and the mandatory CISA BOD 22-01 remediation deadline of June 11, 2026.

2. Regulatory framing

Regulation Article / Directive Practical Impact for Financial Entities
DORA Art. 17 (Vulnerability Handling) Mandatory immediate patching or mitigation upon discovery of active exploitation; failure to meet the CISA due date (2026-06-11) constitutes a compliance breach.
DORA Art. 19 (Incident Reporting) If exploitation results in unauthorized access to critical functions, this triggers major incident reporting thresholds within 24 hours.
DORA Art. 28-30 (Testing & Third-Party) Requires immediate validation of ICT third-party providers (Check Point) and potential emergency penetration testing of VPN ingress points.
NIS2 Art. 21(2)(d) Mandates implementation of policies for vulnerability handling and disclosure; active exploitation of known CVEs violates baseline security hygiene.
NIS2 Art. 23 Requires supply chain security measures; entities relying on Check Point gateways must verify vendor mitigation status immediately.

3. Attack chain

  1. Reconnaissance: Attacker identifies a Check Point Security Gateway, Spark Firewall, or Mobile Access endpoint configured to accept IKEv1 key exchanges without requiring machine certificates.
  2. Exploitation: Attacker leverages a logic flow weakness in the certificate validation process during the IKEv1 handshake.
  3. Authentication Bypass: The gateway incorrectly validates the exchange, allowing the attacker to establish a Remote Access VPN session without providing a valid user password or credentials.
  4. Post-Exploitation (Confirmed): Once inside the VPN tunnel, the attacker performs additional actions to access internal resources. In observed cases, this has led to lateral movement and ransomware deployment (Qilin affiliate).

Unconfirmed Steps: While Check Point assesses with "medium confidence" that Qilin ransomware affiliates are responsible for specific incidents, the full scope of the campaign and the specific toolsets used post-bypass (beyond general ransomware activity) have not been publicly detailed in the provided sources. The existence of CVE-2026-50752 (MITM potential) in the same code path is confirmed, but no exploitation of this secondary vulnerability has been observed.

4. Mitigation & containment

P1: Immediate Containment (Within 24h) * Disable IKEv1: If business continuity allows, immediately disable IKEv1 support on all affected gateways. Force clients to use IKEv2. * Action: Modify Gateway properties in SmartConsole: Disable "Support IKEv1" under VPN > IKE Properties. * Enforce Machine Certificates: Configure gateways to require machine certificate authentication for all Remote Access connections, rejecting connections that rely solely on user credentials over IKEv1. * Network Isolation: If patching cannot be performed immediately, restrict management and VPN access to known trusted IP ranges via firewall rules preceding the Check Point enforcement point.

P2: Remediation (Within 72h / By CISA Due Date 2026-06-11) * Apply Vendor Hotfix: Install the specific hotfix released by Check Point on June 8, 2026. * Target Products: Check Point Security Gateway, Spark Firewall, Remote Access VPN, Mobile Access. * Version: Refer to Check Point Security Advisory for exact build numbers (typically Jumbo Hotfix Accumulators). * Configuration Audit: Verify that no legacy Remote Access clients requiring IKEv1 are in use. If legacy clients exist, migrate them to IKEv2-capable clients immediately rather than retaining the vulnerable protocol.

P3: Validation & Monitoring (Within 7 days) * Log Review: Scrape firewall and VPN logs for successful VPN tunnels established without corresponding user authentication events or from unexpected source IPs during the window of May 7, 2026 – Present. * Third-Party Verification: Engage external auditors to validate that IKEv1 is disabled or properly mitigated across the estate, satisfying DORA Article 28 requirements.

5. Indicators of compromise

No specific file hashes, IP addresses, or domains associated with the exploitation of CVE-2026-50751 were provided in the source material. The primary indicator is the successful establishment of an IKEv1 VPN session without valid user credentials.

No indicators of compromise available in the source material.

6. Detection

YARA Rule Note: Sources do not provide specific malware strings, mutexes, or file paths unique to the exploit kit itself. The vulnerability is a logic flaw in the network stack. Therefore, a file-based YARA rule cannot be constructed from the provided intelligence.

Insufficient indicators to author detection rules.

Sigma Rule The following Sigma rule detects the behavioral pattern of the vulnerability: a VPN tunnel establishment (IKEv1) potentially lacking standard user authentication context, or anomalous VPN connection spikes.

title: Check Point IKEv1 Authentication Bypass Attempt
id: 8f3b2c1d-9e4a-4f5b-8c7d-6e5f4a3b2c1d
status: experimental
description: Detects potential exploitation of CVE-2026-50751 by identifying IKEv1 connections where user authentication may be bypassed or anomalous VPN session creations occur on Check Point gateways.
author: Adverse Trace
date: 2026/06/09
references:
    - https://nvd.nist.gov/vuln/detail/CVE-2026-50751
    - https://thehackernews.com/2026/06/critical-check-point-vpn-flaw-exploited.html
logsource:
    category: firewall
    service: checkpoint
detection:
    selection_ikev1_anomaly:
        Protocol|contains: 'IKEv1'
        Action: 'accept'
        Service|contains: 'VPN'
        # Heuristic: Look for IKEv1 acceptance where User field is empty or 'unknown' if logs permit
        # Note: Specific log field names vary by Check Point logging configuration (e.g., 'user', 'src_user')
        user|exists: false 
    selection_spike:
        Protocol|contains: 'IKEv1'
        Action: 'accept'
        count_min: 50  # Threshold for sudden spike in IKEv1 connections
        timeframe: 5m
    condition: selection_ikev1_anomaly or selection_spike
falsepositives:
    - Legitimate legacy clients using IKEv1 with valid machine certs (requires log enrichment to distinguish).
    - Scheduled bulk VPN connections.
level: high
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2026.50751
    - dora.article17

7. Sources

  • NIST National Vulnerability Database, "CVE-2026-50751", https://nvd.nist.gov/vuln/detail/CVE-2026-50751, 2026-06-07.
  • The Hacker News, "Critical Check Point VPN Flaw Exploited to Bypass Passwords in IKEv1 Setups", https://thehackernews.com/2026/06/critical-check-point-vpn-flaw-exploited.html, 2026-06-08.
  • Rapid7 Blog, "Critical Check Point VPN Zero-Day Exploited in the Wild (CVE-2026-50751)", https://www.rapid7.com/blog/post/etr-critical-check-point-vpn-zero-day-exploited-in-the-wild-cve-2026-50751, 2026-06-08.
  • The Register Security, "Ransomware crims got a month-long head start on Check Point VPN 0-day that now has a fix", https://www.theregister.com/cyber-crime/2026/06/08/attackers-had-month-long-head-start-on-patched-check-point-vpn-zero-day/5252438, 2026-06-08.
  • Help Net Security, "Qilin ransomware affiliate exploited Check Point VPN zero-day (CVE-2026-50751)", https://www.helpnetsecurity.com/2026/06/08/check-point-cve-2026-50751-qilin-ransomware/, 2026-06-08.
  • CISA, "Known Exploited Vulnerabilities Catalog", https://www.cisa.gov/known-exploited-vulnerabilities-catalog, (Entry added 2026-06-08).

8. Adverse Trace position

We assess the severity of CVE-2026-50751 as Critical for any EMEA financial institution running Check Point gateways with IKEv1 enabled, driven by confirmed active exploitation, a high CVSS score (9.3), and the involvement of ransomware actors. The risk is compounded by the CISA BOD 22-01 mandatory remediation deadline of June 11, 2026, which aligns with DORA's strict timelines for vulnerability handling. We recommend clients immediately audit their VPN configurations for IKEv1 usage, apply the vendor hotfix, and enforce machine certificate requirements. Adverse Trace will continue to monitor for specific IOCs and post-exploitation tactics associated with the Qilin affiliate and other actors leveraging this vector.

Read the original source →

Published via PulseTrace — Adverse Trace threat intelligence.

Post this to LinkedIn
Formatting is converted automatically — headings, bullets, a link back & hashtags. Paste straight in.
J
Jeff Davies