Check Point VPN Zero-Day CVE-2026-50751 Exploited by Ransomware Gangs — CISA Gives Agencies 3 Days to Patch
A CVSS 9.3 authentication bypass in Check Point's IKEv1 remote access VPN lets attackers open VPN sessions without credentials. Exploited in the wild since May 7, linked to Qilin ransomware, and on CISA's KEV list with a June 11 deadline.
CVE-2026-50751 is a critical authentication bypass in Check Point security gateways that allows an unauthenticated attacker to establish a remote access VPN session without valid credentials. It carries a CVSS score of 9.3, it has been exploited in the wild since at least May 7, and CISA has given US federal agencies until today — June 11 — to fix it.
A three-day patching deadline is rare. CISA’s standard window for Known Exploited Vulnerabilities is three weeks. When the agency compresses that to 72 hours, it means active, damaging exploitation is confirmed — and in this case, Check Point assesses with medium confidence that at least one intrusion was the work of a Qilin ransomware affiliate.
The technical details
The flaw (CWE-287, improper authentication) lives in how the Remote Access VPN and Mobile Access components validate certificates during the IKEv1 key exchange. A logic error in that flow means an attacker who can reach the VPN endpoint can complete the handshake and land inside the network perimeter — no password, no MFA prompt, no stolen credentials required.
Affected products:
- Check Point Quantum Security Gateways with Remote Access VPN enabled via IKEv1
- Mobile Access blades
- Quantum Spark firewalls
Check Point published its advisory and hotfix on June 8. The exploitation campaign is described as “limited in scope” — several dozen organizations — but activity ramped up in early June, and now that the vulnerability is public, mass scanning follows within days. That’s the standard pattern for every edge-device CVE of the past three years.
What to do right now
- Apply the Check Point hotfix immediately — it’s available for all supported gateway versions via the June 8 advisory.
- Disable IKEv1 if you can. The protocol is deprecated; Check Point itself frames the fix as a patch for a legacy protocol. Migrate remote access to IKEv2.
- Hunt retroactively. Exploitation dates to May 7. Review VPN session logs for connections that authenticated without matching credential events, and treat any suspicious session as a potential ransomware foothold.
The pattern worth naming
This is the latest entry in an unbroken streak: Ivanti, Fortinet, Cisco (seven SD-WAN zero-days this year alone), Palo Alto, and now Check Point again. Edge security appliances — the boxes whose entire job is keeping attackers out — have become the most reliable way in. VPN gateways are unauthenticated by design at the network edge, ransomware crews know it, and legacy protocols like IKEv1 left running “for compatibility” are exactly where the bodies are buried. If your remote access still speaks a protocol deprecated years ago, this CVE is your deadline.