Root Cause: IKEv1 Logic Error (CWE-287)

CVE-2026-50751 stems from a logic error in the certificate validation process used by Check Point Remote Access VPN and Mobile Access when the legacy IKEv1 key exchange protocol is enabled. An unauthenticated remote attacker can bypass authentication and establish a full VPN connection without valid credentials. The flaw primarily impacts environments that allow legacy Remote Access client connections and do not enforce machine certificate authentication.

Scope: Affected Firmware Versions

The vulnerability affects Check Point Mobile Access / SSL VPN, Remote Access VPN, and Spark Firewall deployments running firmware versions R80.20.X, R80.40, R81, R81.10, R81.10.X, R81.20, R82, R82.00.X, and R82.10. Organisations on end-of-support releases (R80.20.X, R80.40, R81, R81.10) face elevated risk as patches may be limited beyond the dedicated hotfix.

Active Exploitation & Qilin Ransomware Link

Check Point confirmed in-the-wild exploitation from May 7, 2026, with activity intensifying in early June across dozens of organisations worldwide. In at least one incident, post-compromise activity was linked to a Qilin ransomware affiliate. Investigators observed attackers operating from dedicated VPS infrastructure — including Kaupo Cloud HK, Shock Hosting, and Vultr Holdings — and cross-targeting similar VPN weaknesses in Palo Alto Networks, Fortinet, and F5 products.

Related Flaw: CVE-2026-50752 (CWE-295, CVSS 7.4)

Identified during a broader security review of the same deprecated IKEv1 component using Check Point's BLAST AI-powered code security platform, CVE-2026-50752 could enable a man-in-the-middle attacker to interfere with site-to-site VPN communications under specific conditions. No active exploitation has been observed, but the shared vulnerable component means patching both CVEs with the same hotfix release is strongly recommended.

Apply Security Hotfixes Immediately

Update all affected Check Point Security Gateways to the vendor-released hotfix without delay. This is the most direct mitigation for both CVE-2026-50751 and CVE-2026-50752. Refer to Check Point SK articles sk185033 and sk185035 for exact upgrade guidance and affected configurations.

Disable Deprecated IKEv1 Key Exchange

Configure global properties for Remote Access VPN authentication to use IKEv2 only, removing support for the deprecated IKEv1 protocol. This eliminates the vulnerable code path entirely and prevents exploitation even on unpatched systems — an immediate risk-reduction action independent of patch scheduling.

Remove Legacy Remote Access Client Support

Disable support for legacy Remote Access client connections and enforce Machine Certificate Authentication as mandatory for all VPN connections. This ensures only authorized, certificate-validated devices can establish VPN sessions, closing the attack surface exploited by CVE-2026-50751.

Conduct Forensic Log Audits

IR teams should review VPN authentication logs and gateway configurations from May 7, 2026 onward. Prioritise identifying unauthorized VPN sessions, unusual connection patterns, or connections originating from VPS providers including Kaupo Cloud HK, Shock Hosting, and Vultr Holdings.

Enable IPS & Download Latest Signatures

Activate Check Point's Intrusion Prevention System (IPS) on all affected gateways and ensure the latest signature updates are deployed. This provides an additional detection layer for exploitation attempts targeting CVE-2026-50751 while patch deployment is in progress.

Upgrade End-of-Support Firmware

Organisations on end-of-support firmware (R80.20.X, R80.40, R81, R81.10) should plan an accelerated migration to a currently supported release. End-of-support products receive limited security updates and represent ongoing risk even after the dedicated hotfix is applied.