INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
ATTENTION: This report is based on previous data. New intelligence sources have been linked and the Executive Summary and Mitigations need to be re-synthesized.

Explotan vulnerabilidad Check Point VPN

| 2026-06-08 14:17 CRITICAL HIGH
JSON
Executive Summary AI-generated
The recent incident data reveals a critical vulnerability in Check Point's VPN solution, CVE-2026-50751. This zero-day exploit allows attackers to bypass authentication and gain remote access to the organization's network by exploiting a lógico flaw in certificate validation. The vulnerability is particularly concerning as it affects widely used protocols like IKEv1, which has been largely replaced by more modern alternatives like IKEv2. Organizations must take immediate action to patch this critical issue, especially if they rely on legacy systems or have not kept their security gateways and Spark Firewalls up-to-date with the latest patches.
Technical Mitigations AI-generated
* CVE-2026-50751: Un fallo crítico en el protocolo IKEv1 de autenticación y negociación de claves que permite establecer sesiones VPN sin necesidad de una contraseña válida. * CVE-2026-50752: Una vulnerabilidad relacionada con la lógica de validación de certificados para permitir ataques de tipo man-in-the-middle en conexiones VPN a través del protocolo IKEv1.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
SparkSparkQilinQilinAgendaAgenda CVE-2024-24919CVE-2024-24919 CVE-2026-42271CVE-2026-42271 CVE-2026-50752CVE-2026-50752 CVE-2026-50751CVE-2026-50751
Target & Sectors
FIVE_EYES FIVE_EYES NORTH_AMERICA NORTH_AMERICA governmentgovernment automotiveautomotive
Incident Timeline
‎August 2022
Qilin exploited a Check Point vulnerability to target nearly 400 victims on its dark web leak site.
tactic Ransomware
Although these attacks have only led to breaches at "a few dozen" organizations worldwide, Check Point has linked at least one incident to the Qilin Ransomware-as-a-Service (RaaS) operation, which has claimed over 400 victims on its dark web leak site since it surfaced in August 2022.
Qilin surfaced in August 2022 as a Ransomware-as-a-Service (RaaS) operation under the "Agenda" name and has since claimed responsibility for nearly 400 victims on its dark web leak site.
malware Qilin
Although these attacks have only led to breaches at "a few dozen" organizations worldwide, Check Point has linked at least one incident to the Qilin Ransomware-as-a-Service (RaaS) operation, which has claimed over 400 victims on its dark web leak site since it surfaced in August 2022.
Qilin surfaced in August 2022 as a Ransomware-as-a-Service (RaaS) operation under the "Agenda" name and has since claimed responsibility for nearly 400 victims on its dark web leak site.
victims 400 victims
Although these attacks have only led to breaches at "a few dozen" organizations worldwide, Check Point has linked at least one incident to the Qilin Ransomware-as-a-Service (RaaS) operation, which has claimed over 400 victims on its dark web leak site since it surfaced in August 2022.
Qilin surfaced in August 2022 as a Ransomware-as-a-Service (RaaS) operation under the "Agenda" name and has since claimed responsibility for nearly 400 victims on its dark web leak site.
malware Agenda
Qilin surfaced in August 2022 as a Ransomware-as-a-Service (RaaS) operation under the "Agenda" name and has since claimed responsibility for nearly 400 victims on its dark web leak site.
‎May 7
The Qilin ransomware operation exploited a Check Point Auth Bypass vulnerability.
vulnerability CVE-2026-50751
Israeli cybersecurity company Check Point released security updates to address CVE-2026-50751 on Monday, flagging it as exploited in attacks that began on May 7 and surged over the weekend.
Attacks against the bug, tracked as CVE-2026-50751 , began on May 7, according to Check Point VP of research Lotem Finkelstein, and picked up in early June.
source_region Israel
Israeli cybersecurity company Check Point released security updates to address CVE-2026-50751 on Monday, flagging it as exploited in attacks that began on May 7 and surged over the weekend.
tactic Ransomware
cyber-crime Ransomware crims got a month-long head start on Check Point VPN 0-day that now has a fix Scumbags, including a Qilin ransomware affiliate, began hitting this hole May 7 Check Point released an emergency fix on Monday for a critical authentication bypass vulnerability affecting its Remote Access VPN and Mobile Access deployments - but attackers, including ransomware criminals, got a month-long head start.
The attacks began on May 7, surged in early June, and have affected only "a few dozen" organizations worldwide, with at least one incident linked to the Qilin ransomware operation.
malware Qilin
cyber-crime Ransomware crims got a month-long head start on Check Point VPN 0-day that now has a fix Scumbags, including a Qilin ransomware affiliate, began hitting this hole May 7 Check Point released an emergency fix on Monday for a critical authentication bypass vulnerability affecting its Remote Access VPN and Mobile Access deployments - but attackers, including ransomware criminals, got a month-long head start.
The attacks began on May 7, surged in early June, and have affected only "a few dozen" organizations worldwide, with at least one incident linked to the Qilin ransomware operation.
organisation Mobile Access
cyber-crime Ransomware crims got a month-long head start on Check Point VPN 0-day that now has a fix Scumbags, including a Qilin ransomware affiliate, began hitting this hole May 7 Check Point released an emergency fix on Monday for a critical authentication bypass vulnerability affecting its Remote Access VPN and Mobile Access deployments - but attackers, including ransomware criminals, got a month-long head start.
organisation Remote Access VPN
cyber-crime Ransomware crims got a month-long head start on Check Point VPN 0-day that now has a fix Scumbags, including a Qilin ransomware affiliate, began hitting this hole May 7 Check Point released an emergency fix on Monday for a critical authentication bypass vulnerability affecting its Remote Access VPN and Mobile Access deployments - but attackers, including ransomware criminals, got a month-long head start.
organisation Check Point VP
Attacks against the bug, tracked as CVE-2026-50751 , began on May 7, according to Check Point VP of research Lotem Finkelstein, and picked up in early June.
organisation Lotem Finkelstein
Attacks against the bug, tracked as CVE-2026-50751 , began on May 7, according to Check Point VP of research Lotem Finkelstein, and picked up in early June.
‎May 7, 2026
Threat actors exploited a vulnerability in Check Point Auth Bypass to target various products and versions.
malware Spark
" The shortcoming impacts the following products and versions - Security Gateways R82.10 Jumbo Hotfix Take 19 or below, R82 Jumbo Hotfix Take 103 or below, R81.20 Jumbo Hotfix Take 141 or below, R81.10 (EOS), R81 (EOS), and R80.40 (EOS) Spark Firewalls: R80.20.X (EOS), R81.10.X, and R82.00.X Successful exploitation requires the following conditions to be met - VPN Remote Access or Mobile Access is enabled IKEv1 is enabled for remote access Gateways accept legacy Remote Access clients Gateways do not demand a machine certificate for connections The Israeli cybersecurity company said it first observed indications of suspicious activity on June 4, 2026, with the earliest observed exploitation dating back to May 7, 2026.
organisation Remote Access
" The shortcoming impacts the following products and versions - Security Gateways R82.10 Jumbo Hotfix Take 19 or below, R82 Jumbo Hotfix Take 103 or below, R81.20 Jumbo Hotfix Take 141 or below, R81.10 (EOS), R81 (EOS), and R80.40 (EOS) Spark Firewalls: R80.20.X (EOS), R81.10.X, and R82.00.X Successful exploitation requires the following conditions to be met - VPN Remote Access or Mobile Access is enabled IKEv1 is enabled for remote access Gateways accept legacy Remote Access clients Gateways do not demand a machine certificate for connections The Israeli cybersecurity company said it first observed indications of suspicious activity on June 4, 2026, with the earliest observed exploitation dating back to May 7, 2026.
source_region Israel
" The shortcoming impacts the following products and versions - Security Gateways R82.10 Jumbo Hotfix Take 19 or below, R82 Jumbo Hotfix Take 103 or below, R81.20 Jumbo Hotfix Take 141 or below, R81.10 (EOS), R81 (EOS), and R80.40 (EOS) Spark Firewalls: R80.20.X (EOS), R81.10.X, and R82.00.X Successful exploitation requires the following conditions to be met - VPN Remote Access or Mobile Access is enabled IKEv1 is enabled for remote access Gateways accept legacy Remote Access clients Gateways do not demand a machine certificate for connections The Israeli cybersecurity company said it first observed indications of suspicious activity on June 4, 2026, with the earliest observed exploitation dating back to May 7, 2026.
organisation R81
" The shortcoming impacts the following products and versions - Security Gateways R82.10 Jumbo Hotfix Take 19 or below, R82 Jumbo Hotfix Take 103 or below, R81.20 Jumbo Hotfix Take 141 or below, R81.10 (EOS), R81 (EOS), and R80.40 (EOS) Spark Firewalls: R80.20.X (EOS), R81.10.X, and R82.00.X Successful exploitation requires the following conditions to be met - VPN Remote Access or Mobile Access is enabled IKEv1 is enabled for remote access Gateways accept legacy Remote Access clients Gateways do not demand a machine certificate for connections The Israeli cybersecurity company said it first observed indications of suspicious activity on June 4, 2026, with the earliest observed exploitation dating back to May 7, 2026.
general_metric 19 Hotfix
" The shortcoming impacts the following products and versions - Security Gateways R82.10 Jumbo Hotfix Take 19 or below, R82 Jumbo Hotfix Take 103 or below, R81.20 Jumbo Hotfix Take 141 or below, R81.10 (EOS), R81 (EOS), and R80.40 (EOS) Spark Firewalls: R80.20.X (EOS), R81.10.X, and R82.00.X Successful exploitation requires the following conditions to be met - VPN Remote Access or Mobile Access is enabled IKEv1 is enabled for remote access Gateways accept legacy Remote Access clients Gateways do not demand a machine certificate for connections The Israeli cybersecurity company said it first observed indications of suspicious activity on June 4, 2026, with the earliest observed exploitation dating back to May 7, 2026.
general_metric 103 Hotfix
" The shortcoming impacts the following products and versions - Security Gateways R82.10 Jumbo Hotfix Take 19 or below, R82 Jumbo Hotfix Take 103 or below, R81.20 Jumbo Hotfix Take 141 or below, R81.10 (EOS), R81 (EOS), and R80.40 (EOS) Spark Firewalls: R80.20.X (EOS), R81.10.X, and R82.00.X Successful exploitation requires the following conditions to be met - VPN Remote Access or Mobile Access is enabled IKEv1 is enabled for remote access Gateways accept legacy Remote Access clients Gateways do not demand a machine certificate for connections The Israeli cybersecurity company said it first observed indications of suspicious activity on June 4, 2026, with the earliest observed exploitation dating back to May 7, 2026.
general_metric 141 Hotfix
" The shortcoming impacts the following products and versions - Security Gateways R82.10 Jumbo Hotfix Take 19 or below, R82 Jumbo Hotfix Take 103 or below, R81.20 Jumbo Hotfix Take 141 or below, R81.10 (EOS), R81 (EOS), and R80.40 (EOS) Spark Firewalls: R80.20.X (EOS), R81.10.X, and R82.00.X Successful exploitation requires the following conditions to be met - VPN Remote Access or Mobile Access is enabled IKEv1 is enabled for remote access Gateways accept legacy Remote Access clients Gateways do not demand a machine certificate for connections The Israeli cybersecurity company said it first observed indications of suspicious activity on June 4, 2026, with the earliest observed exploitation dating back to May 7, 2026.
organisation EOS
" The shortcoming impacts the following products and versions - Security Gateways R82.10 Jumbo Hotfix Take 19 or below, R82 Jumbo Hotfix Take 103 or below, R81.20 Jumbo Hotfix Take 141 or below, R81.10 (EOS), R81 (EOS), and R80.40 (EOS) Spark Firewalls: R80.20.X (EOS), R81.10.X, and R82.00.X Successful exploitation requires the following conditions to be met - VPN Remote Access or Mobile Access is enabled IKEv1 is enabled for remote access Gateways accept legacy Remote Access clients Gateways do not demand a machine certificate for connections The Israeli cybersecurity company said it first observed indications of suspicious activity on June 4, 2026, with the earliest observed exploitation dating back to May 7, 2026.
‎2026/05/09
Threat actors used a previously undisclosed exploit for Check Point Auth Bypass to target ransomware groups.
tactic Ransomware
Some aspects of these efforts overlap with a report from Ctrl-Alt-Intel last month, which highlighted the ransomware crew's abuse of corporate VPN appliances for initial access.
organisation Ctrl-Alt-Intel
Some aspects of these efforts overlap with a report from Ctrl-Alt-Intel last month, which highlighted the ransomware crew's abuse of corporate VPN appliances for initial access.
‎May 2026
Threat actors used a previously unknown vulnerability in Check Point's Auth Bypass software to target their systems.
‎June 4
Threat actors exploited a zero-day vulnerability in Check Point's Auth Bypass software.
‎June 4, 2026
Threat actors exploited a vulnerability in Check Point Auth Bypass to target various products and versions, including Security Gateways R82.10 Jumbo Hotfix Take 19 or below and Spark Firewalls: R80.20.X (EOS), R81.10.X, and R82.00.X.
malware Spark
" The shortcoming impacts the following products and versions - Security Gateways R82.10 Jumbo Hotfix Take 19 or below, R82 Jumbo Hotfix Take 103 or below, R81.20 Jumbo Hotfix Take 141 or below, R81.10 (EOS), R81 (EOS), and R80.40 (EOS) Spark Firewalls: R80.20.X (EOS), R81.10.X, and R82.00.X Successful exploitation requires the following conditions to be met - VPN Remote Access or Mobile Access is enabled IKEv1 is enabled for remote access Gateways accept legacy Remote Access clients Gateways do not demand a machine certificate for connections The Israeli cybersecurity company said it first observed indications of suspicious activity on June 4, 2026, with the earliest observed exploitation dating back to May 7, 2026.
organisation Remote Access
" The shortcoming impacts the following products and versions - Security Gateways R82.10 Jumbo Hotfix Take 19 or below, R82 Jumbo Hotfix Take 103 or below, R81.20 Jumbo Hotfix Take 141 or below, R81.10 (EOS), R81 (EOS), and R80.40 (EOS) Spark Firewalls: R80.20.X (EOS), R81.10.X, and R82.00.X Successful exploitation requires the following conditions to be met - VPN Remote Access or Mobile Access is enabled IKEv1 is enabled for remote access Gateways accept legacy Remote Access clients Gateways do not demand a machine certificate for connections The Israeli cybersecurity company said it first observed indications of suspicious activity on June 4, 2026, with the earliest observed exploitation dating back to May 7, 2026.
source_region Israel
" The shortcoming impacts the following products and versions - Security Gateways R82.10 Jumbo Hotfix Take 19 or below, R82 Jumbo Hotfix Take 103 or below, R81.20 Jumbo Hotfix Take 141 or below, R81.10 (EOS), R81 (EOS), and R80.40 (EOS) Spark Firewalls: R80.20.X (EOS), R81.10.X, and R82.00.X Successful exploitation requires the following conditions to be met - VPN Remote Access or Mobile Access is enabled IKEv1 is enabled for remote access Gateways accept legacy Remote Access clients Gateways do not demand a machine certificate for connections The Israeli cybersecurity company said it first observed indications of suspicious activity on June 4, 2026, with the earliest observed exploitation dating back to May 7, 2026.
organisation R81
" The shortcoming impacts the following products and versions - Security Gateways R82.10 Jumbo Hotfix Take 19 or below, R82 Jumbo Hotfix Take 103 or below, R81.20 Jumbo Hotfix Take 141 or below, R81.10 (EOS), R81 (EOS), and R80.40 (EOS) Spark Firewalls: R80.20.X (EOS), R81.10.X, and R82.00.X Successful exploitation requires the following conditions to be met - VPN Remote Access or Mobile Access is enabled IKEv1 is enabled for remote access Gateways accept legacy Remote Access clients Gateways do not demand a machine certificate for connections The Israeli cybersecurity company said it first observed indications of suspicious activity on June 4, 2026, with the earliest observed exploitation dating back to May 7, 2026.
general_metric 19 Hotfix
" The shortcoming impacts the following products and versions - Security Gateways R82.10 Jumbo Hotfix Take 19 or below, R82 Jumbo Hotfix Take 103 or below, R81.20 Jumbo Hotfix Take 141 or below, R81.10 (EOS), R81 (EOS), and R80.40 (EOS) Spark Firewalls: R80.20.X (EOS), R81.10.X, and R82.00.X Successful exploitation requires the following conditions to be met - VPN Remote Access or Mobile Access is enabled IKEv1 is enabled for remote access Gateways accept legacy Remote Access clients Gateways do not demand a machine certificate for connections The Israeli cybersecurity company said it first observed indications of suspicious activity on June 4, 2026, with the earliest observed exploitation dating back to May 7, 2026.
general_metric 103 Hotfix
" The shortcoming impacts the following products and versions - Security Gateways R82.10 Jumbo Hotfix Take 19 or below, R82 Jumbo Hotfix Take 103 or below, R81.20 Jumbo Hotfix Take 141 or below, R81.10 (EOS), R81 (EOS), and R80.40 (EOS) Spark Firewalls: R80.20.X (EOS), R81.10.X, and R82.00.X Successful exploitation requires the following conditions to be met - VPN Remote Access or Mobile Access is enabled IKEv1 is enabled for remote access Gateways accept legacy Remote Access clients Gateways do not demand a machine certificate for connections The Israeli cybersecurity company said it first observed indications of suspicious activity on June 4, 2026, with the earliest observed exploitation dating back to May 7, 2026.
general_metric 141 Hotfix
" The shortcoming impacts the following products and versions - Security Gateways R82.10 Jumbo Hotfix Take 19 or below, R82 Jumbo Hotfix Take 103 or below, R81.20 Jumbo Hotfix Take 141 or below, R81.10 (EOS), R81 (EOS), and R80.40 (EOS) Spark Firewalls: R80.20.X (EOS), R81.10.X, and R82.00.X Successful exploitation requires the following conditions to be met - VPN Remote Access or Mobile Access is enabled IKEv1 is enabled for remote access Gateways accept legacy Remote Access clients Gateways do not demand a machine certificate for connections The Israeli cybersecurity company said it first observed indications of suspicious activity on June 4, 2026, with the earliest observed exploitation dating back to May 7, 2026.
organisation EOS
" The shortcoming impacts the following products and versions - Security Gateways R82.10 Jumbo Hotfix Take 19 or below, R82 Jumbo Hotfix Take 103 or below, R81.20 Jumbo Hotfix Take 141 or below, R81.10 (EOS), R81 (EOS), and R80.40 (EOS) Spark Firewalls: R80.20.X (EOS), R81.10.X, and R82.00.X Successful exploitation requires the following conditions to be met - VPN Remote Access or Mobile Access is enabled IKEv1 is enabled for remote access Gateways accept legacy Remote Access clients Gateways do not demand a machine certificate for connections The Israeli cybersecurity company said it first observed indications of suspicious activity on June 4, 2026, with the earliest observed exploitation dating back to May 7, 2026.
‎June 8
Ransomware affiliates exploited a Check Point vulnerability in remote access VPN and mobile access deployments.
tactic Ransomware
The security vendor revealed on June 8 that in one case, an affiliate of the Qilin ransomware group has exploited the flaw in “post-compromise activity.”
malware Qilin
The security vendor revealed on June 8 that in one case, an affiliate of the Qilin ransomware group has exploited the flaw in “post-compromise activity.”
vulnerability CVE-2026-50751
Check Point on June 8 disclosed CVE-2026-50751, a critical authentication bypass flaw (9.3 CVSS score) that impacts "Check Point Remote Access VPN and Mobile Access deployments configured to use the deprecated IKEv1 key exchange protocol," according to a blog post .
‎2026/06/08
Threat actors exploited CVE-2026-50751 in Check Point Auth Bypass Exploited vulnerabilities.
vulnerability CVE-2026-50751
Feds ordered to patch by June 11 Yesterday, CISA also added CVE-2026-50751 to its Known Exploited Vulnerabilities (KEV) Catalog , ordering Federal Civilian Executive Branch (FCEB) agencies to secure their devices by June 11, as mandated by Binding Operational Directive (BOD) 22-01 .
attribution CISA
Feds ordered to patch by June 11 Yesterday, CISA also added CVE-2026-50751 to its Known Exploited Vulnerabilities (KEV) Catalog , ordering Federal Civilian Executive Branch (FCEB) agencies to secure their devices by June 11, as mandated by Binding Operational Directive (BOD) 22-01 .
attribution Known Exploited
Feds ordered to patch by June 11 Yesterday, CISA also added CVE-2026-50751 to its Known Exploited Vulnerabilities (KEV) Catalog , ordering Federal Civilian Executive Branch (FCEB) agencies to secure their devices by June 11, as mandated by Binding Operational Directive (BOD) 22-01 .
tactic T1588.006 - Vulnerabilities
Feds ordered to patch by June 11 Yesterday, CISA also added CVE-2026-50751 to its Known Exploited Vulnerabilities (KEV) Catalog , ordering Federal Civilian Executive Branch (FCEB) agencies to secure their devices by June 11, as mandated by Binding Operational Directive (BOD) 22-01 .
attribution KEV
Feds ordered to patch by June 11 Yesterday, CISA also added CVE-2026-50751 to its Known Exploited Vulnerabilities (KEV) Catalog , ordering Federal Civilian Executive Branch (FCEB) agencies to secure their devices by June 11, as mandated by Binding Operational Directive (BOD) 22-01 .
attribution Federal Civilian Executive Branch
Feds ordered to patch by June 11 Yesterday, CISA also added CVE-2026-50751 to its Known Exploited Vulnerabilities (KEV) Catalog , ordering Federal Civilian Executive Branch (FCEB) agencies to secure their devices by June 11, as mandated by Binding Operational Directive (BOD) 22-01 .
attribution FCEB
Feds ordered to patch by June 11 Yesterday, CISA also added CVE-2026-50751 to its Known Exploited Vulnerabilities (KEV) Catalog , ordering Federal Civilian Executive Branch (FCEB) agencies to secure their devices by June 11, as mandated by Binding Operational Directive (BOD) 22-01 .
‎Jun 08, 2026
Threat actors exploited a known vulnerability in Check Point's Auth Bypass software to gain unauthorized access into targeted networks.
‎at least May 7 through June 5
Threat actors exploited a vulnerability in Check Point SmartConsole to bypass authentication.
‎2026/06/09
Check Point has urged customers to patch a critical zero-day vulnerability in its Remote Access VPN and Mobile Access solutions that is being actively exploited.
organisation Check Point Research
Qilin, ransomware y actividad posterior al acceso Check Point Research ha vinculado al menos un caso de actividad posterior a la explotación con un afiliado del ransomware Qilin.
Check Point Research said it confirmed one case where post-exploitation activity was associated with a Qilin ransomware affiliate.
"To the best of our knowledge to date, there is no indication the vulnerability was broadly available to other threat actors," Check Point Research told The Hacker News via email.
"Check Point Research has identified active exploitation of CVE-2026-50751, a critical authentication bypass vulnerability affecting Check Point Remote Access VPN and Mobile Access deployments configured to use the deprecated IKEv1 key exchange protocol," the company warned .
organisation preparación de un ataque de ransomware
Desde ahí, el siguiente paso puede ser reconocimiento interno, búsqueda de credenciales, movimiento lateral o preparación de un ataque de ransomware.
organisation los grupos de ransomware
Esto encaja con una tendencia clara: los grupos de ransomware y los actores financieros están priorizando dispositivos perimetrales y soluciones de acceso remoto porque ofrecen una vía directa hacia las redes corporativas.
organisation los actores financieros
Esto encaja con una tendencia clara: los grupos de ransomware y los actores financieros están priorizando dispositivos perimetrales y soluciones de acceso remoto porque ofrecen una vía directa hacia las redes corporativas.
organisation vía directa
Esto encaja con una tendencia clara: los grupos de ransomware y los actores financieros están priorizando dispositivos perimetrales y soluciones de acceso remoto porque ofrecen una vía directa hacia las redes corporativas.
organisation Ransomware
Ransomware crims got a month-long head start on Check Point VPN 0-day that now has a fix.
organisation Check Point
Ransomware crims got a month-long head start on Check Point VPN 0-day that now has a fix.
Dos vulnerabilidades, una bajo explotación activa Check Point divulgó CVE-2026-50751 junto con otra vulnerabilidad, identificada como CVE-2026-50752.
Check Point warns that CVE-2026-50751 is being actively exploited .
Remote Access VPN and Mobile Access are both remote access capabilities generally offered as part of Check Point firewalls.
Customers using IKEv1 key exchange protocol are strongly encouraged to apply the available security updates immediately." Check Point also shared mitigation measures for customers who can't immediately patch vulnerable systems and advised them to remove support for the legacy remote access client, configure global properties for Remote Access VPN Authentication to IKEv2 only, set the Machine Certificate Authentication as mandatory, and enable IPS and download the signatures.
organisation The Hacker News
"To the best of our knowledge to date, there is no indication the vulnerability was broadly available to other threat actors," Check Point Research told The Hacker News via email.
organisation Check Point Remote Access VPN
"Check Point Research has identified active exploitation of CVE-2026-50751, a critical authentication bypass vulnerability affecting Check Point Remote Access VPN and Mobile Access deployments configured to use the deprecated IKEv1 key exchange protocol," the company warned .
organisation El fallo
El fallo, identificado como CVE-2026-50751, afecta a determinados despliegues
En otras palabras, el fallo puede permitir acceder al entorno VPN saltándose una barrera clave de seguridad.
organisation CVE-2026
Dos vulnerabilidades, una bajo explotación activa Check Point divulgó CVE-2026-50751 junto con otra vulnerabilidad, identificada como CVE-2026-50752.
While investigating the CVE-2026-50751 flaw, Check Point found a second vulnerability ( tracked as CVE-2026-50752 ) that affects certificate validation in deprecated IKEv1 key exchange that can be exploited in man-in-the-middle attacks on site-to-site VPN connections.
organisation CVSS
Another Vulnerability Discovered While Check Point was investigating CVE-2026-50751, which has a CVSS score of 9.3, it found another vulnerability.
The two flaws added to the catalog are: CVE-2026-42271  (CVSS score ver.4.0 of 8.7) BerriAI
organisation Unauthenticated
Unauthenticated remote attackers can exploit this security flaw (tracked as CVE-2026-50751 ) to bypass authentication and establish a remote access VPN connection on targeted Mobile Access/SSL VPNs, Remote Access VPNs, or Spark firewalls.
organisation Mobile Access/SSL VPNs
Unauthenticated remote attackers can exploit this security flaw (tracked as CVE-2026-50751 ) to bypass authentication and establish a remote access VPN connection on targeted Mobile Access/SSL VPNs, Remote Access VPNs, or Spark firewalls.
It affects Mobile Access/SSL VPNs, Remote Access VPNs, and Spark Firewalls configured to use the deprecated IKEv1 key exchange protocol.
organisation Remote Access
Unauthenticated remote attackers can exploit this security flaw (tracked as CVE-2026-50751 ) to bypass authentication and establish a remote access VPN connection on targeted Mobile Access/SSL VPNs, Remote Access VPNs, or Spark firewalls.
Alternative mitigations generally amount to changing VPN encryption settings to use IKEv2 only; CVE-2026-50751 also offers mitigations involving removing support for legacy Remote Access client connections or by setting the machine certificate authentication as mandatory.
Tracked as CVE-2026-50751 , this vulnerability can be exploited by unauthenticated, remote attackers to bypass authentication on targeted Mobile Access / SSL VPNs, Remote Access VPNs, or Spark firewalls and establish a remote access VPN connection.
It affects Mobile Access/SSL VPNs, Remote Access VPNs, and Spark Firewalls configured to use the deprecated IKEv1 key exchange protocol.
organisation Command Injection Vulnerability
LiteLLM Command Injection Vulnerability CVE-2026-50751  (CVSS score of 9.3)
organisation Check Point VPN
The second flaw added to the catalog, tracked as CVE-2026-50751 , is a critical authentication bypass flaw in Check Point VPN, Mobile Access, and Spark Firewalls.
Explotan una vulnerabilidad crítica en Check Point VPN para saltarse la autenticación.
organisation Mobile Access
The second flaw added to the catalog, tracked as CVE-2026-50751 , is a critical authentication bypass flaw in Check Point VPN, Mobile Access, and Spark Firewalls.
Remote Access VPN and Mobile Access are both remote access capabilities generally offered as part of Check Point firewalls.
de Remote Access VPN y Mobile Access configurados con el protocolo IKEv1, una tecnología antigua y desaconsejada desde hace años.
Check Point has urged customers to patch a critical zero-day vulnerability in its Remote Access VPN and Mobile Access solutions that is being actively exploited.
 Ravie Lakshmanan  Jun 08, 2026 Vulnerability / Network Security Check Point has warned of active exploitation of a critical vulnerability impacting Remote Access VPN and Mobile Access deployments that are configured to use the deprecated IKEv1 key exchange protocol.
Israeli cybersecurity company Check Point has released security updates to patch a critical flaw affecting Remote Access VPN and Mobile Access deployments, which was exploited in zero-day attacks.
organisation IKEv2
Alternative mitigations generally amount to changing VPN encryption settings to use IKEv2 only; CVE-2026-50751 also offers mitigations involving removing support for legacy Remote Access client connections or by setting the machine certificate authentication as mandatory.
Customers using IKEv1 key exchange protocol are strongly encouraged to apply the available security updates immediately." Check Point also shared mitigation measures for customers who can't immediately patch vulnerable systems and advised them to remove support for the legacy remote access client, configure global properties for Remote Access VPN Authentication to IKEv2 only, set the Machine Certificate Authentication as mandatory, and enable IPS and download the signatures.
Sin embargo, IKEv1 está considerado obsoleto y ha sido sustituido en gran medida por alternativas más modernas, como IKEv2.
"Customers using IKEv1 key exchange protocol are strongly encouraged to apply the available security updates immediately." Check Point has also shared mitigation measures for those who can't patch, advising them to remove support for the legacy remote access client, configure global properties for Remote Access VPN Authentication to IKEv2 only, enable IPS and download the signatures, and configure Machine Certificate Authentication as mandatory.
organisation the Remote Access and Mobile Access
CVE-2026-50751 is due to a logic-flow weakness in the Remote Access and Mobile Access certificate validation process, and it allows remote attackers to bypass authentication and establish a remote access VPN connection without a user password.
“An attacker can bypass user authentication by exploiting a logic flow weakness in the Remote Access and Mobile Access certificate validation and establish a remote access VPN connection without a valid user password,” Check Point said.
organisation Security Gateways
While investigating CVE-2026-50751 and affected VPN components, Check Point found another vulnerability, CVE-2026-50752 , in its Security Gateways and Spark Firewall products.
A threat actor is exploiting a critical vulnerability present in certain versions of Check Point's Security Gateways and Spark Firewalls, and customers are advised to patch immediately.
organisation Mobile Access / SSL VPNs
Tracked as CVE-2026-50751 , this vulnerability can be exploited by unauthenticated, remote attackers to bypass authentication on targeted Mobile Access / SSL VPNs, Remote Access VPNs, or Spark firewalls and establish a remote access VPN connection.
organisation IPs
Customers using IKEv1 key exchange protocol are strongly encouraged to apply the available security updates immediately." Check Point also shared mitigation measures for customers who can't immediately patch vulnerable systems and advised them to remove support for the legacy remote access client, configure global properties for Remote Access VPN Authentication to IKEv2 only, set the Machine Certificate Authentication as mandatory, and enable IPS and download the signatures.
"Customers using IKEv1 key exchange protocol are strongly encouraged to apply the available security updates immediately." Check Point has also shared mitigation measures for those who can't patch, advising them to remove support for the legacy remote access client, configure global properties for Remote Access VPN Authentication to IKEv2 only, enable IPS and download the signatures, and configure Machine Certificate Authentication as mandatory.
The affiliate apparently used dedicated virtual private server (VPS) infrastructure to carry out the attacks, with some IPs hosted by Kaupo Cloud HK, Shock Hosting, and Vultr Holdings.
organisation Remote Access VPN Authentication
Customers using IKEv1 key exchange protocol are strongly encouraged to apply the available security updates immediately." Check Point also shared mitigation measures for customers who can't immediately patch vulnerable systems and advised them to remove support for the legacy remote access client, configure global properties for Remote Access VPN Authentication to IKEv2 only, set the Machine Certificate Authentication as mandatory, and enable IPS and download the signatures.
"Customers using IKEv1 key exchange protocol are strongly encouraged to apply the available security updates immediately." Check Point has also shared mitigation measures for those who can't patch, advising them to remove support for the legacy remote access client, configure global properties for Remote Access VPN Authentication to IKEv2 only, enable IPS and download the signatures, and configure Machine Certificate Authentication as mandatory.
organisation the Machine Certificate Authentication
Customers using IKEv1 key exchange protocol are strongly encouraged to apply the available security updates immediately." Check Point also shared mitigation measures for customers who can't immediately patch vulnerable systems and advised them to remove support for the legacy remote access client, configure global properties for Remote Access VPN Authentication to IKEv2 only, set the Machine Certificate Authentication as mandatory, and enable IPS and download the signatures.
organisation Explotan una vulnerabilidad
Explotan una vulnerabilidad crítica en Check Point VPN para saltarse la autenticación.
organisation Remote Access VPN
Check Point has urged customers to patch a critical zero-day vulnerability in its Remote Access VPN and Mobile Access solutions that is being actively exploited.
 Ravie Lakshmanan  Jun 08, 2026 Vulnerability / Network Security Check Point has warned of active exploitation of a critical vulnerability impacting Remote Access VPN and Mobile Access deployments that are configured to use the deprecated IKEv1 key exchange protocol.
Israeli cybersecurity company Check Point has released security updates to patch a critical flaw affecting Remote Access VPN and Mobile Access deployments, which was exploited in zero-day attacks.
organisation Vulnerability / Network Security
 Ravie Lakshmanan  Jun 08, 2026 Vulnerability / Network Security Check Point has warned of active exploitation of a critical vulnerability impacting Remote Access VPN and Mobile Access deployments that are configured to use the deprecated IKEv1 key exchange protocol.
organisation fue
Check Point ha confirmado que la vulnerabilidad fue utilizada como zero-day en ataques contra varias decenas de organizaciones a nivel global.
organisation Check Point's
A threat actor is exploiting a critical vulnerability present in certain versions of Check Point's Security Gateways and Spark Firewalls, and customers are advised to patch immediately.
organisation EOS
Also included are Spark Firewalls R80.20.X (EOS); R81.10.X; and R82.00.X.  Related:
organisation un
Según la descripción técnica, un atacante puede aprovechar un fallo lógico en la validación de certificados para establecer una sesión VPN sin disponer de una contraseña válida.
Ad Un fallo crítico en un punto muy sensible Las VPN corporativas son uno de los elementos más críticos de cualquier infraestructura empresarial.
organisation lógico
Según la descripción técnica, un atacante puede aprovechar un fallo lógico en la validación de certificados para establecer una sesión VPN sin disponer de una contraseña válida.
organisation la validación de certificados
Según la descripción técnica, un atacante puede aprovechar un fallo lógico en la validación de certificados para establecer una sesión VPN sin disponer de una contraseña válida.
organisation Las VPN
Ad Un fallo crítico en un punto muy sensible Las VPN corporativas son uno de los elementos más críticos de cualquier infraestructura empresarial.
organisation de un protocolo de autenticación
Se trata de un protocolo de autenticación y negociación de claves creado en 1998 y utilizado durante años para establecer túneles VPN cifrados.
organisation negociación de claves
Se trata de un protocolo de autenticación y negociación de claves creado en 1998 y utilizado durante años para establecer túneles VPN cifrados.
organisation Sin
Sin embargo, IKEv1 está considerado obsoleto y ha sido sustituido en gran medida por alternativas más modernas, como IKEv2.
organisation gran medida
Sin embargo, IKEv1 está considerado obsoleto y ha sido sustituido en gran medida por alternativas más modernas, como IKEv2.
organisation Machine Certificate Authentication
"Customers using IKEv1 key exchange protocol are strongly encouraged to apply the available security updates immediately." Check Point has also shared mitigation measures for those who can't patch, advising them to remove support for the legacy remote access client, configure global properties for Remote Access VPN Authentication to IKEv2 only, enable IPS and download the signatures, and configure Machine Certificate Authentication as mandatory.
organisation El uso de tecnologías heredadas sigue
El uso de tecnologías heredadas sigue siendo uno de los grandes problemas de ciberseguridad en las empresas.
organisation las empresas
El uso de tecnologías heredadas sigue siendo uno de los grandes problemas de ciberseguridad en las empresas.
organisation falta de revisión o
Muchas organizaciones mantienen configuraciones antiguas por compatibilidad, falta de revisión o dependencia de clientes legacy.
organisation el actor
Según la información disponible, el actor sospechoso también estaría explotando otras vulnerabilidades relacionadas con VPN, incluidas fallas publicadas en productos de Palo Alto, Fortinet y F5.
organisation observada de explotación
Check Point identificó actividad maliciosa el 4 de junio, pero situó la primera fecha observada de explotación el 7 de mayo.
organisation el 7 de mayo
Check Point identificó actividad maliciosa el 4 de junio, pero situó la primera fecha observada de explotación el 7 de mayo.
organisation los equipos de respuesta
La compañía ha recomendado a los equipos de respuesta a incidentes revisar registros forenses y configuraciones desde esa fecha, ya que la explotación aumentó especialmente a comienzos de junio.
organisation Key Exchange
IKEv1 (short for Internet Key Exchange version 1) is a security authentication protocol created in 1998 that is often used to set up authenticated and encrypted VPN tunnels.
organisation VPS
The affiliate apparently used dedicated virtual private server (VPS) infrastructure to carry out the attacks, with some IPs hosted by Kaupo Cloud HK, Shock Hosting, and Vultr Holdings.
" Check Point also identified indications that the attacker may be using Tox for communication, an otherwise legitimate open source peer-to-peer protocol, and that they used dedicated virtual private server (VPS) infrastructure to conduct attacks.
" A key aspect is the use of a virtual private server (VPS) infrastructure to conduct the attacks.
organisation Kaupo Cloud HK
The affiliate apparently used dedicated virtual private server (VPS) infrastructure to carry out the attacks, with some IPs hosted by Kaupo Cloud HK, Shock Hosting, and Vultr Holdings.
organisation Vultr Holdings
The affiliate apparently used dedicated virtual private server (VPS) infrastructure to carry out the attacks, with some IPs hosted by Kaupo Cloud HK, Shock Hosting, and Vultr Holdings.
organisation Check Point Security Gateway
LiteLLM and Check Point Security Gateway flaws to its Known Exploited Vulnerabilities catalog.
organisation Known Exploited
LiteLLM and Check Point Security Gateway flaws to its Known Exploited Vulnerabilities catalog.
organisation KEV
LiteLLM and Check Point Security Gateway flaws to its Known Exploited Vulnerabilities (KEV) catalog .
organisation BOD
"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
organisation EDR
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
infrastructure 1.74.2
Check Point Security Gateway Improper Authentication Vulnerability The CVE-2026-42271 flaw is a privilege escalation and remote code execution vulnerability in LiteLLM affecting versions 1.74.2 through 1.83.6.
infrastructure 1.83.6
Check Point Security Gateway Improper Authentication Vulnerability The CVE-2026-42271 flaw is a privilege escalation and remote code execution vulnerability in LiteLLM affecting versions 1.74.2 through 1.83.6.
organisation Check Point Security
Check Point Security Gateway Improper Authentication Vulnerability The CVE-2026-42271 flaw is a privilege escalation and remote code execution vulnerability in LiteLLM affecting versions 1.74.2 through 1.83.6.
infrastructure 1.83.7
The vulnerability was fixed in LiteLLM version 1.83.7.
organisation MCP
The issue stems from two MCP server testing endpoints that allowed authenticated users to supply custom server configurations, including commands and environment variables.
organisation API
Because the application executed these commands as subprocesses on the host system without enforcing role-based access controls, even low-privileged users with a valid API key could run arbitrary commands on the server.
organisation Vulnerable Check Point Customers Should Patch
Vulnerable Check Point Customers Should Patch Now
organisation R81
They include Security Gateways R82.10 Jumbo Hotfix Take 19 or below; R82 Jumbo Hotfix Take 103 or below; R81.20 Jumbo Hotfix Take 141 or below; R81.10 (end of service); R81 (end of service); and R80.40 (end of service).
organisation Microsoft
Related: Microsoft Issues Out-of-Band SharePoint Patch Asked how many of its customers use the IKEv1 protocol, Check Point Research says not many.
organisation Bypass Passwords
Critical Check Point VPN Flaw Exploited to Bypass Passwords in IKEv1 Setups.
organisation Setups
Critical Check Point VPN Flaw Exploited to Bypass Passwords in IKEv1 Setups.
organisation ELF
Once access was established, the attackers were found attempting to download malicious ELF files from actor-controlled infrastructure.
organisation Nissan
The gang's list of victims also includes high-profile organizations such as automotive giant Yangfeng , Nissan , Japanese beer company Asahi , publishing giant Lee Enterprises , pathology services provider Synnovis , and Australia's Court Services Victoria .
organisation Asahi
The gang's list of victims also includes high-profile organizations such as automotive giant Yangfeng , Nissan , Japanese beer company Asahi , publishing giant Lee Enterprises , pathology services provider Synnovis , and Australia's Court Services Victoria .
organisation Court
The gang's list of victims also includes high-profile organizations such as automotive giant Yangfeng , Nissan , Japanese beer company Asahi , publishing giant Lee Enterprises , pathology services provider Synnovis , and Australia's Court Services Victoria .
‎June 11
The Federal Civilian Executive Branch (FCEB) agencies were ordered to secure their devices by June 11 due to the exploitation of CVE-2026-50751.
vulnerability CVE-2026-50751
Feds ordered to patch by June 11 Yesterday, CISA also added CVE-2026-50751 to its Known Exploited Vulnerabilities (KEV) Catalog , ordering Federal Civilian Executive Branch (FCEB) agencies to secure their devices by June 11, as mandated by Binding Operational Directive (BOD) 22-01 .
attribution CISA
Feds ordered to patch by June 11 Yesterday, CISA also added CVE-2026-50751 to its Known Exploited Vulnerabilities (KEV) Catalog , ordering Federal Civilian Executive Branch (FCEB) agencies to secure their devices by June 11, as mandated by Binding Operational Directive (BOD) 22-01 .
attribution Known Exploited
Feds ordered to patch by June 11 Yesterday, CISA also added CVE-2026-50751 to its Known Exploited Vulnerabilities (KEV) Catalog , ordering Federal Civilian Executive Branch (FCEB) agencies to secure their devices by June 11, as mandated by Binding Operational Directive (BOD) 22-01 .
tactic T1588.006 - Vulnerabilities
Feds ordered to patch by June 11 Yesterday, CISA also added CVE-2026-50751 to its Known Exploited Vulnerabilities (KEV) Catalog , ordering Federal Civilian Executive Branch (FCEB) agencies to secure their devices by June 11, as mandated by Binding Operational Directive (BOD) 22-01 .
attribution KEV
Feds ordered to patch by June 11 Yesterday, CISA also added CVE-2026-50751 to its Known Exploited Vulnerabilities (KEV) Catalog , ordering Federal Civilian Executive Branch (FCEB) agencies to secure their devices by June 11, as mandated by Binding Operational Directive (BOD) 22-01 .
attribution Federal Civilian Executive Branch
Feds ordered to patch by June 11 Yesterday, CISA also added CVE-2026-50751 to its Known Exploited Vulnerabilities (KEV) Catalog , ordering Federal Civilian Executive Branch (FCEB) agencies to secure their devices by June 11, as mandated by Binding Operational Directive (BOD) 22-01 .
attribution FCEB
Feds ordered to patch by June 11 Yesterday, CISA also added CVE-2026-50751 to its Known Exploited Vulnerabilities (KEV) Catalog , ordering Federal Civilian Executive Branch (FCEB) agencies to secure their devices by June 11, as mandated by Binding Operational Directive (BOD) 22-01 .
‎June 11, 2026
Threat actors exploited the Check Point Security Gateway vulnerability.
attribution the Check Point Security Gateway
CISA orders federal agencies to fix the Check Point Security Gateway vulnerability by June 11, 2026, and the BerriAI LiteLLM flaw by June 22, 2026.
‎June 22, 2026
Threat actors exploited the Check Point Security Gateway vulnerability to gain unauthorized access.
attribution the Check Point Security Gateway
CISA orders federal agencies to fix the Check Point Security Gateway vulnerability by June 11, 2026, and the BerriAI LiteLLM flaw by June 22, 2026.
Tactical Metrics
Metrics
victims
400
Victims
Although these attacks have only led to breaches at "a few dozen" organizations worldwide, Check Point has linked at least one incident to the Qilin Ransomware-as-a-Service (RaaS) operation, which has claimed over 400 victims on its dark web leak site since it surfaced in August 2022.
Qilin surfaced in August 2022 as a Ransomware-as-a-Service (RaaS) operation under the "Agenda" name and has since claimed responsibility for nearly 400 victims on its dark web leak site.
Metrics
infrastructure
‎1.74.2
Software Version
Check Point Security Gateway Improper Authentication Vulnerability The CVE-2026-42271 flaw is a privilege escalation and remote code execution vulnerability in LiteLLM affecting versions 1.74.2 through 1.83.6.
Metrics
infrastructure
‎1.83.6
Software Version
Check Point Security Gateway Improper Authentication Vulnerability The CVE-2026-42271 flaw is a privilege escalation and remote code execution vulnerability in LiteLLM affecting versions 1.74.2 through 1.83.6.
Metrics
infrastructure
‎1.83.7
Software Version
The vulnerability was fixed in LiteLLM version 1.83.7.
Intelligence Sources
BleepingComputer 2026-06-09
Security Affairs 2026-06-09
Dark Reading 2026-06-08
The Register - Cybercrime 2026-06-08
The Hacker News 2026-06-08
BleepingComputer 2026-06-08
Infosecurity-Magazine 2026-06-09
Bit Life Media 2026-06-09
Infosecurity-Magazine 2026-06-09
The Register - Cybercrime 2026-06-08