On 9 June 2026, Germany's Federal Office for Information Security (BSI) published a security advisory rated Yellow (level 2 of 4). The trigger: an actively exploited vulnerability in Check Point Remote Access VPN and Mobile Access that allows attackers to establish VPN connections without a valid password.
If you operate Check Point VPN solutions, you need to act now.
What Is Going On?
On 8 June 2026, Check Point published an advisory for CVE-2026-50751. The vulnerability stems from a logic error in the certificate validation process of the deprecated IKEv1 key exchange. With a CVSS score of 9.3, it is rated critical.
The consequence: a remote attacker can completely bypass user authentication and establish a VPN connection without knowing the password. No phishing, no credential leak required — the vulnerability alone is sufficient.
During the investigation, a second vulnerability was also discovered: CVE-2026-50752 (CVSS 7.4). It also affects IKEv1 and allows an attacker in a man-in-the-middle position to intercept or manipulate site-to-site VPN connections.
Who Is Affected?
The following products are affected:
Check Point Remote Access VPN and Mobile Access / SSL VPN
Spark Firewalls with the deprecated IKEv1 key exchange enabled
The vulnerability is exploitable when all of the following conditions are met:
VPN remote access or mobile access is enabled
IKEv1 is active for remote access
Gateways accept legacy remote access clients
Gateways do not require a machine certificate for connections
Affected gateway versions (CVE-2026-50751):
R82.10 Jumbo Hotfix Take 19 or earlier
R82 Jumbo Hotfix Take 103 or earlier
R81.20 Jumbo Hotfix Take 141 or earlier
R81.10, R81, R80.40, R80.20.X (all End-of-Support)
Spark Firewalls: R81.10.X and R82.00.X
How Long Has This Been Going On?
According to Check Point, the vulnerability has been actively exploited since early May 2026. Over the past weeks, attackers have used it to gain access to internal networks of multiple organisations. In at least one case, the activity was linked to an affiliate of the Qilin ransomware group.
The attackers used VPS infrastructure from providers including Kaupo Cloud HK, Shock Hosting, and Vultr Holdings. In some cases, this meant the attacker IPs shared the same country code as the targeted organisations — a deliberate obfuscation technique.
What Do You Need to Do Now?
1. Apply Patches
Check Point has released hotfixes for both vulnerabilities. Details and download links are available directly from the vendor:
2. Activate Workarounds (If Patching Is Not Immediately Possible)
For CVE-2026-50751, three options are available:
Option 1: Remove support for legacy remote access clients
Option 2: Set global remote access VPN authentication settings to IKEv2 only
Option 3: Make machine certificate authentication mandatory
For CVE-2026-50752: Configure all VPN communities to use IKEv2 exclusively.
3. Check for Compromise
Anyone who has been running the affected configuration since early May 2026 should conduct a thorough log investigation. Specifically:
Search logs via SmartConsole for IKE-related events "Key Install" and "Quick"
Check for connections from known attacker IPs (see below)
Identify suspicious VPS addresses and geographic anomalies
Check Point provides an up-to-date list of Indicators of Compromise (IoCs) in advisory CP26a.
Known Attacker IPs (as of 09.06.2026)
45.77.149[.]152209.182.225[.]13638.60.157[.]139162.33.177[.]10145.76.26[.]42144.208.127[.]15538.54.88[.]20138.54.107[.]16766.42.99[.]200Known file hashes (MD5):
52fda5c1b9704544f32ee98d9060e68951d39aa39478beeac94f2d12f682ecceConclusion
Exposed perimeter systems are always a prime target for attackers. CVE-2026-50751 is particularly serious because no credentials need to be compromised beforehand. The attacks have been running for weeks and will almost certainly continue as more threat actors pick up the vulnerability. Technical details and exploits are not yet public — but that is only a matter of time.
Apply the patch, activate the workaround, review the logs. In that order, as quickly as possible.