Check Point reported a critical vulnerability in Remote Access VPN with a score of 9.3 points on CVSS, which allows you to bypass authentication without a password.
Check Point has warned of real attacks through the critical vulnerability of CVE-2026-50751, which allows you to connect to a secure network without a valid user password.
The problem affects the solutions of Check Point Remote Access VPNVPN and Mobile Access, if they include an outdated IKEvv1 key exchange protocol. According to experts of Check Point Research, attackers use an error in how the system checks the certificates. With a successful attack, they can create a remote access session and circumvent the usual authentication check.
The connection to the VPN itself does not yet give full control over the internal network. To gain access to the company's resources or to increase privileges, the attackers need additional actions after entering. However, the very fact that the password manages to bypass makes the vulnerability especially dangerous, since VPNs usually stand at the border of corporate infrastructure.
CVE-2026-50751 (CVSS:3.1/AV:N/AV:L/C/I::C/I::L/A:::L/A:N – 9.3 Critical) are already being operated in real attacks. So far, only a few dozen target organizations around the world are known, but in one case, after the hack, the activity associated with the partner of the extortion group Qilin was confirmed.
The first signs of operation, according to Check Point, date back to May 7, 2026. The investigation began on June 4 after suspicious activity was seen and the number of attacks attempts increased in early June. Response teams are advised to check the events logs and VPN settings starting with the earliest known date of operation.
According to the company, behind the attacks with a moderate degree of confidence is a financially motivated attacker who uses Qilin extortion software. Check Point also believes that the same infrastructure can be used to exploit other vulnerabilities in VPN solutions, including Palo Alto, Fortinet and F5 products. In some signs of activity, experts saw that the attackers could use the Tox protocol to communicate, which is often found in extortion attack operators.
The attackers used dedicated virtual servers from different vendors, including Kaupo Cloud HK, Shock Hosting and Vultr Holdings. In some cases, the infrastructure was selected taking into account the victim country: attacks on the organization in Taiwan used servers geographically tied to Taiwan. After successful access, Check Point saw intersections with Linux samples of Qilin ransomware and attempts to download malicious ELF files from the servers of attackers.
During the investigation, Check Point also found a second vulnerability, CVE-2026-50752 (CVS:3.1/AV/AC/N/AC:H/N/UI:X::H/I/A:H/A:N – 7.4 High). It is also connected with how the certificates are checked in the outdated IKEv1, but already affects the VPN connections between the platforms and under certain conditions allows you to attack the “person in the middle”. The company does not yet see signs of exploitation in real attacks.
Mobile Access, SSL VPN, Remote Access VPN, Security Gateways and Spark Firewall in the R80.20 versions are at risk. X, R80.40, R81, R81.10, R81.10. X, R81.20, R82.00, R82.00. X and R82.10, including a number of versions with complete support. Check Point has released the fixes and recommends updating all affected locks immediately. If you can’t install an update quickly, administrators should check the remote access settings and disable dangerous configurations with an outdated IKEv1
Check Point has warned of real attacks through the critical vulnerability of CVE-2026-50751, which allows you to connect to a secure network without a valid user password.
The problem affects the solutions of Check Point Remote Access VPNVPN and Mobile Access, if they include an outdated IKEvv1 key exchange protocol. According to experts of Check Point Research, attackers use an error in how the system checks the certificates. With a successful attack, they can create a remote access session and circumvent the usual authentication check.
The connection to the VPN itself does not yet give full control over the internal network. To gain access to the company's resources or to increase privileges, the attackers need additional actions after entering. However, the very fact that the password manages to bypass makes the vulnerability especially dangerous, since VPNs usually stand at the border of corporate infrastructure.
CVE-2026-50751 (CVSS:3.1/AV:N/AV:L/C/I::C/I::L/A:::L/A:N – 9.3 Critical) are already being operated in real attacks. So far, only a few dozen target organizations around the world are known, but in one case, after the hack, the activity associated with the partner of the extortion group Qilin was confirmed.
The first signs of operation, according to Check Point, date back to May 7, 2026. The investigation began on June 4 after suspicious activity was seen and the number of attacks attempts increased in early June. Response teams are advised to check the events logs and VPN settings starting with the earliest known date of operation.
According to the company, behind the attacks with a moderate degree of confidence is a financially motivated attacker who uses Qilin extortion software. Check Point also believes that the same infrastructure can be used to exploit other vulnerabilities in VPN solutions, including Palo Alto, Fortinet and F5 products. In some signs of activity, experts saw that the attackers could use the Tox protocol to communicate, which is often found in extortion attack operators.
The attackers used dedicated virtual servers from different vendors, including Kaupo Cloud HK, Shock Hosting and Vultr Holdings. In some cases, the infrastructure was selected taking into account the victim country: attacks on the organization in Taiwan used servers geographically tied to Taiwan. After successful access, Check Point saw intersections with Linux samples of Qilin ransomware and attempts to download malicious ELF files from the servers of attackers.
During the investigation, Check Point also found a second vulnerability, CVE-2026-50752 (CVS:3.1/AV/AC/N/AC:H/N/UI:X::H/I/A:H/A:N – 7.4 High). It is also connected with how the certificates are checked in the outdated IKEv1, but already affects the VPN connections between the platforms and under certain conditions allows you to attack the “person in the middle”. The company does not yet see signs of exploitation in real attacks.
Mobile Access, SSL VPN, Remote Access VPN, Security Gateways and Spark Firewall in the R80.20 versions are at risk. X, R80.40, R81, R81.10, R81.10. X, R81.20, R82.00, R82.00. X and R82.10, including a number of versions with complete support. Check Point has released the fixes and recommends updating all affected locks immediately. If you can’t install an update quickly, administrators should check the remote access settings and disable dangerous configurations with an outdated IKEv1
