Cybersecurity & Protection

Critical Check Point VPN Vulnerability Actively Exploited

Jul 2, 2026 5 min read
All articles

On 9 June 2026, Germany's Federal Office for Information Security (BSI) published a security advisory rated Yellow (level 2 of 4). The trigger: an actively exploited vulnerability in Check Point Remote Access VPN and Mobile Access that allows attackers to establish VPN connections without a valid password.

If you operate Check Point VPN solutions, you need to act now.


What Is Going On?

On 8 June 2026, Check Point published an advisory for CVE-2026-50751. The vulnerability stems from a logic error in the certificate validation process of the deprecated IKEv1 key exchange. With a CVSS score of 9.3, it is rated critical.

The consequence: a remote attacker can completely bypass user authentication and establish a VPN connection without knowing the password. No phishing, no credential leak required — the vulnerability alone is sufficient.

During the investigation, a second vulnerability was also discovered: CVE-2026-50752 (CVSS 7.4). It also affects IKEv1 and allows an attacker in a man-in-the-middle position to intercept or manipulate site-to-site VPN connections.


Who Is Affected?

The following products are affected:

  • Check Point Remote Access VPN and Mobile Access / SSL VPN

  • Spark Firewalls with the deprecated IKEv1 key exchange enabled

The vulnerability is exploitable when all of the following conditions are met:

  • VPN remote access or mobile access is enabled

  • IKEv1 is active for remote access

  • Gateways accept legacy remote access clients

  • Gateways do not require a machine certificate for connections

Affected gateway versions (CVE-2026-50751):

  • R82.10 Jumbo Hotfix Take 19 or earlier

  • R82 Jumbo Hotfix Take 103 or earlier

  • R81.20 Jumbo Hotfix Take 141 or earlier

  • R81.10, R81, R80.40, R80.20.X (all End-of-Support)

  • Spark Firewalls: R81.10.X and R82.00.X


How Long Has This Been Going On?

According to Check Point, the vulnerability has been actively exploited since early May 2026. Over the past weeks, attackers have used it to gain access to internal networks of multiple organisations. In at least one case, the activity was linked to an affiliate of the Qilin ransomware group.

The attackers used VPS infrastructure from providers including Kaupo Cloud HK, Shock Hosting, and Vultr Holdings. In some cases, this meant the attacker IPs shared the same country code as the targeted organisations — a deliberate obfuscation technique.


What Do You Need to Do Now?

1. Apply Patches

Check Point has released hotfixes for both vulnerabilities. Details and download links are available directly from the vendor:

2. Activate Workarounds (If Patching Is Not Immediately Possible)

For CVE-2026-50751, three options are available:

  • Option 1: Remove support for legacy remote access clients

  • Option 2: Set global remote access VPN authentication settings to IKEv2 only

  • Option 3: Make machine certificate authentication mandatory

For CVE-2026-50752: Configure all VPN communities to use IKEv2 exclusively.

3. Check for Compromise

Anyone who has been running the affected configuration since early May 2026 should conduct a thorough log investigation. Specifically:

  • Search logs via SmartConsole for IKE-related events "Key Install" and "Quick"

  • Check for connections from known attacker IPs (see below)

  • Identify suspicious VPS addresses and geographic anomalies

Check Point provides an up-to-date list of Indicators of Compromise (IoCs) in advisory CP26a.


Known Attacker IPs (as of 09.06.2026)

45.77.149[.]152209.182.225[.]13638.60.157[.]139162.33.177[.]10145.76.26[.]42144.208.127[.]15538.54.88[.]20138.54.107[.]16766.42.99[.]200

Known file hashes (MD5):

52fda5c1b9704544f32ee98d9060e68951d39aa39478beeac94f2d12f682ecce

Conclusion

Exposed perimeter systems are always a prime target for attackers. CVE-2026-50751 is particularly serious because no credentials need to be compromised beforehand. The attacks have been running for weeks and will almost certainly continue as more threat actors pick up the vulnerability. Technical details and exploits are not yet public — but that is only a matter of time.

Apply the patch, activate the workaround, review the logs. In that order, as quickly as possible.