Check Point Research has detected active in-the-wild exploitation of CVE-2026-50751, a critical authentication bypass vulnerability affecting Check Point Remote Access VPN and Mobile Access deployments using the deprecated IKEv1 protocol. The scope is currently limited (~dozens of organizations globally), but the escalation in early June and linkage to a prolific ransomware affiliate suggests broader targeting is likely imminent. The parallel targeting of Palo Alto, Fortinet, and F5 VPN vulnerabilities by the same actor indicates a systematic campaign against enterprise VPN infrastructure – not an opportunistic attack. Organizations using any of these products should treat this as a broader VPN security posture review, not just a single patch event.
Severity: Critical
Vulnerability Overview
| CVE ID | CVE-2026-50751 | CVE-2026-50752 |
| Vulnerability Type | Authentication Bypass | Man-in-the-Middle (MitM) |
| CVSS Score | 9.3 | 7.4 |
| Affected Components | Remote Access & Mobile Access VPN deployments | Site-to-Site VPN connections |
| Protocol Layer | Deprecated IKEv1 key exchange protocol | Deprecated IKEv1 key management |
| Technical Mechanism | Exploits a logic flaw in certificate validation to establish a VPN session without a valid user password. | Exploits a condition in certificate validation to allow data interference on connections. |
| Exploitation Status | Actively exploited in the wild | NA |
Threat Actor Profile & Attack Methodology
- Attribution & Motivation: There is confirmed post-compromise activity associated with a financially motivated Qilin ransomware affiliate (medium confidence assessment).
- Infrastructure Targeting: The threat group’s infrastructure is suspected of concurrently targeting other major VPN vendors, including Palo Alto, Fortinet, and F5.
- Tactics & Tooling:
- Operational Infrastructure: Relies on dedicated virtual private server (VPS) infrastructure. Attackers have strategically matched the geographical location of their infrastructure with that of the victim organization (e.g., targeting Taiwanese organizations using a Taiwan-geolocated VPS).
- Malware: Following an authentication bypass, threat actors attempted to download malicious ELF files and execute Qilin Linux ransomware binaries.
- Communication: Leverages the Tox protocol for communications.
- Post-Exploitation Requirement: Additional post-authentication activity is required after the initial bypass to escalate privileges or access internal corporate resources.
Attack Timeline
- May 7, 2026: Earliest observed date of active in-the-wild exploitation.
- Early June 2026: Significant increase in exploitation attempts noticed globally across targeted organizations.
- June 4, 2026: Check Point Research initiates a formal forensic investigation following indications of suspicious network activity.
- June 8, 2026: Official security advisory published to warn organizations.
Recommendations
- Apply Check Point’s released hotfix to all affected Security Gateways. Refer to official advisories sk185033 and sk185035 for exact upgrade guidance.
- Pull VPN authentication logs from May 7, 2026. Hunt specifically for:
• Sessions authenticated via certificate only, without password validation
• Successful VPN logins with no corresponding MFA/password event
• Logins from IPs matching the IOC list or hosted on Vultr / Shock Hosting / Kaupo Cloud HK ASNs. Look for VPN and IKE-related events containing action:”Key Install” and log record containing Quick.
• ELF binary download attempts from external actor-controlled infrastructure - Mitigation:
• Option 1 – Remove support for legacy Remote Access client connections
• Option 2 – Configure Global properties for Remote Access VPN Authentication to IKEv2 only
• Option 3 – Set the Machine Certificate Authentication as mandatory - Audit all site-to-site and remote-access VPN profiles for lingering IKEv1 configurations. Enforce IKEv2 with strong cipher suites.
- Ensure MFA is mandatory for all remote access VPN users.
- This actor is known to target Palo Alto, Fortinet, and F5 VPN products in parallel. If any of these are in your environment:
• Audit patch status on all VPN/SSL-VPN products immediately
• Cross-reference recent authentication anomalies across all VPN platforms
• Check for Tox protocol traffic (port 33445 UDP/TCP) in firewall/netflow logs indicator of actor C2 - Block the IOCs at their respective controls
https://www.virustotal.com/gui/collection/7df62e9f144d297ef619f17871b0d90f462408cedfc48e59268c8d575bcfda62/iocs
Source:
- https://blog.checkpoint.com/security/check-point-releases-important-hotfix-for-vulnerabilities-in-deprecated-ikev1-vpn-protocol/
- https://support.checkpoint.com/results/sk/sk185033
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.
