Home · Live brief · Daily brief 2026-06-09
CVE-2026-50751 — Check Point Security Gateway: IKEv1 VPN authentication bypass, actively exploited by a Qilin affiliate
Entities: Check Point NCSC-CH
Part of run 2026-06-09-40d562df (intel · Claude Opus 4.8)
Check Point disclosed and patched CVE-2026-50751 (CVSS 9.3) on 8 June 2026 — a logic-flow weakness in certificate validation in the deprecated IKEv1 key exchange affecting Remote Access VPN and Mobile Access deployments. An unauthenticated remote attacker can establish a VPN session without a valid user password; post-authentication activity is still required to reach internal resources (Check Point, 2026-06-08). NCSC-CH issued an Action-Required advisory the same day and links observed exploitation to a Qilin ransomware affiliate (NCSC-CH, 2026-06-08); CISA added the CVE to its KEV catalog on 8 June. Full technical treatment, exploitation prerequisites and hardening are in § 5 below. The companion CVE-2026-50752 (CVSS 7.4, site-to-site IKEv1 MitM, no observed exploitation) should be patched in the same window.
“An attacker can bypass user authentication by exploiting a logic flow weakness in the Remote Access and Mobile Access certificate validation and establish a remote access VPN connection without a valid user password” — Check Point
“Current exploitation status: Actively Exploited. Observed exploitation linked to Qilin ransomware affiliate” — NCSC-CH Security Hub
Action items
- Patch Check Point IKEv1 VPN gateways now (CVE-2026-50751) — pre-auth authentication bypass under active exploitation by a Qilin affiliate since 7 May; apply hotfix sk185033, disable deprecated IKEv1 remote-access support, and start forensic lookback from 7 May for VPN sessions established without a matching MFA event.
Update chain
- updated by Check Point IKEv1 CVE-2026-50751 — public PoC raises exploitation risk 2026-06-17