Check Point has reported active exploitation of critical vulnerability CVE-2026-50751 (CVSS 9.3) in its Remote Access VPN and Mobile Access products. The vulnerability allows an unauthenticated attacker to bypass authentication and establish a VPN session without a valid password by abusing a logical error in the certificate validation procedure when using the deprecated IKEv1 protocol. According to the vendor, the attacks have affected several dozen organizations worldwide, with the earliest traces of exploitation dating back to May 2026. Check Point administrators with remote VPN access enabled via IKEv1 must install the released fixes immediately.
Technical details of the vulnerability
The root cause is a logical error in the certificate validation process (logic flow weakness in certificate validation. Under a certain gateway configuration, an attacker can bypass authentication requirements and establish a full VPN session without presenting a valid password. According to Check Point, once the session is established, additional actions are required to access internal resources or escalate privileges — the authentication bypass by itself does not provide immediate full control over the network, but it does create an entry point.
To successfully exploit CVE-2026-50751, four conditions must be met simultaneously:
- VPN Remote Access or Mobile Access is enabled on the gateway
- The IKEv1 protocol is used for remote access
- The gateway accepts connections from legacy Remote Access clients
- The gateway does not require a machine certificate for connection
Affected products and versions
According to the security bulletin, the vulnerability affects:
- Security Gateways: R82.10 Jumbo Hotfix Take 19 and below, R82 Jumbo Hotfix Take 103 and below, R81.20 Jumbo Hotfix Take 141 and below, as well as End-of-Support versions — R81.10, R81, R80.40
- Spark Firewalls: R80.20.X (End of Support), R81.10.X, R82.00.X
It is particularly noteworthy that a significant portion of the vulnerable versions are already in End of Support (EOS) status. Organizations using these versions are not only exposed to this vulnerability, but are also unable to obtain an official fix through standard channels.
Second vulnerability: CVE-2026-50752
During analysis of the affected VPN components, an additional vulnerability was identified — CVE-2026-50752 (CVSS 7.4). It could potentially enable an adversary-in-the-middle attack against site-to-site VPN connections. According to the vendor, there is currently no evidence of this vulnerability being exploited in real-world attacks.
Threat context and observed activity
According to Check Point, the first signs of suspicious activity were recorded on 4 June 2026, but retrospective analysis showed that the earliest exploitation cases date back to 7 May 2026. The intensity of attacks has reportedly increased significantly this month. The vendor assesses the overall scale of the campaign as limited — several dozen organizations worldwide have been affected.
A distinctive feature of the observed attacks is the use of VPS infrastructure whose geolocation matches the country where the target organization is located. This approach makes it harder to detect connection anomalies based on geography. After gaining access, the attackers, according to Check Point, attempted to download malicious ELF files from attacker-controlled infrastructure.
Some elements of the observed activity reportedly overlap with the Ctrl-Alt-Intel report on the use of corporate VPN appliances for initial access by ransomware operators. However, it should be noted that attribution to specific groups at this stage is based on limited sources and must be interpreted with caution.
Impact assessment
The criticality of CVE-2026-50751 is determined by several factors. First, VPN gateways are by nature entry points into the corporate network — compromising authentication at this level can potentially open access to the entire internal infrastructure. Second, the IKEv1 protocol is officially considered deprecated but continues to be used in organizations with legacy infrastructure, where migration to IKEv2 is postponed due to compatibility with outdated clients. Third, the CVSS score of 9.3 and confirmed exploitation in real attacks place this vulnerability in the highest-priority category.
The greatest risk is faced by organizations that:
- Use Check Point for employee remote VPN access
- Have not migrated from IKEv1 to IKEv2
- Run End-of-Support versions (R80.40, R81, R81.10)
- Do not require machine certificates for connection
Mitigation recommendations
- Install the fixes immediately. Check Point has released hotfixes for supported versions. Priority is maximal, given the confirmed exploitation.
- Disable IKEv1 for remote access. Where business processes allow, migrate all VPN connections to IKEv2. This removes the primary attack vector.
- Enable the requirement for a machine certificate. This is one of the four exploitation conditions — enabling it blocks the attack even on unpatched systems.
- Disable support for legacy Remote Access clients. If legacy clients are not in use, disabling their support closes another required condition.
- Audit VPN logs. Review logs for anomalous VPN sessions starting from May 2026, paying particular attention to connections from VPS providers and attempts to download ELF files after a session is established.
- For End-of-Support systems — plan an emergency migration to supported versions. As a temporary measure, restrict access to the VPN gateway by IP address or disable remote access via IKEv1.
Organizations using Check Point VPN with the IKEv1 protocol should treat hotfix deployment as a matter of hours, not days. In parallel, they must verify whether the four exploitation conditions are met and eliminate at least one of them at the configuration level — this will provide protection even if patching is delayed. The long-term recommendation is a complete abandonment of IKEv1 in favor of IKEv2, which eliminates an entire class of attacks associated with the deprecated protocol.
