ctipilot.ch

Home · Live brief · Daily brief 2026-06-09

CVE-2026-50751 — Check Point Security Gateway: IKEv1 VPN authentication bypass, actively exploited by a Qilin affiliate

critical vulnerability discovered 2026-06-09 05:00 UTC

Entities: Check Point NCSC-CH

Part of run 2026-06-09-40d562df (intel · Claude Opus 4.8)

Check Point disclosed and patched CVE-2026-50751 (CVSS 9.3) on 8 June 2026 — a logic-flow weakness in certificate validation in the deprecated IKEv1 key exchange affecting Remote Access VPN and Mobile Access deployments. An unauthenticated remote attacker can establish a VPN session without a valid user password; post-authentication activity is still required to reach internal resources (Check Point, 2026-06-08). NCSC-CH issued an Action-Required advisory the same day and links observed exploitation to a Qilin ransomware affiliate (NCSC-CH, 2026-06-08); CISA added the CVE to its KEV catalog on 8 June. Full technical treatment, exploitation prerequisites and hardening are in § 5 below. The companion CVE-2026-50752 (CVSS 7.4, site-to-site IKEv1 MitM, no observed exploitation) should be patched in the same window.

“An attacker can bypass user authentication by exploiting a logic flow weakness in the Remote Access and Mobile Access certificate validation and establish a remote access VPN connection without a valid user password” — Check Point

“Current exploitation status: Actively Exploited. Observed exploitation linked to Qilin ransomware affiliate” — NCSC-CH Security Hub

Action items

  • Patch Check Point IKEv1 VPN gateways now (CVE-2026-50751) — pre-auth authentication bypass under active exploitation by a Qilin affiliate since 7 May; apply hotfix sk185033, disable deprecated IKEv1 remote-access support, and start forensic lookback from 7 May for VPN sessions established without a matching MFA event.

Update chain

vulnerabilities actively-exploited auth-bypass pre-auth cisa-kev ransomware global switzerland CVE-2026-50751 CVE-2026-50752