Ethical Hacking News
Check Point has released an emergency fix for a critical authentication bypass vulnerability in its Remote Access VPN and Mobile Access deployments, which was exploited by attackers for an extended period before its patch was released. The bug allows remote attackers to bypass authentication and establish a remote access VPN connection without a user password.
Check Point announced an emergency fix for a critical authentication bypass vulnerability in its Remote Access VPN and Mobile Access deployments (CVE-2026-50751). The bug allows remote attackers to bypass authentication and establish a remote access VPN connection without a user password. A second related vulnerability, CVE-2026-50752, was discovered in Security Gateways and Spark Firewall products due to a logic-flow weakness in the deprecated IKEv1 key exchange method. The incident highlights the importance of keeping up-to-date with security patches and staying vigilant against emerging threats. Check Point is urging customers to apply hotfixes and providing alternative mitigation options for vulnerable gateways and firewalls.
Check Point, a leading provider of cybersecurity solutions, recently announced an emergency fix for a critical authentication bypass vulnerability affecting its Remote Access VPN and Mobile Access deployments. The bug, tracked as CVE-2026-50751, was exploited by attackers, including ransomware criminals, who gained a month-long head start on the patch before it was released.
According to Check Point's VP of research, Lotem Finkelstein, suspicious activity was first observed on May 7, and the security software vendor began investigating the zero-day. However, it wasn't until June 4 that Finkelstein confirmed the existence of a critical vulnerability in the Remote Access and Mobile Access certificate validation process.
The bug, CVE-2026-50751, allows remote attackers to bypass authentication and establish a remote access VPN connection without a user password. It affects Mobile Access/SSL VPNs, Remote Access VPNs, and Spark Firewalls configured to use the deprecated IKEv1 key exchange protocol.
While investigating CVE-2026-50751, Check Point discovered another vulnerability, CVE-2026-50752, in its Security Gateways and Spark Firewall products. This bug is due to a logic-flow weakness in the certificate validation logic of the deprecated IKEv1 key exchange method and can lead to man-in-the-middle attacks on the VPN site-to-site configuration.
However, it's worth noting that Check Point has not received any reports of in-the-wild exploitation of CVE-2026-50752. The company is urging customers running vulnerable gateways and firewalls to apply the hotfixes and providing alternative mitigation options with instructions in the security advisories.
To help identify potential attacks, Check Point has also published a list of indicators of compromise, including attacker IPs, and recommends that customers search Check Point SmartConsole logs for possible VPN certificate authentication attempts associated with observed attacker infrastructure and certificate subject names for at least May 7 through June 5.
The ransomware affiliate Qilin was identified as one of the groups exploiting this vulnerability. In fact, it's believed that the same group is also likely to be exploiting other VPN-related vulnerabilities in Palo Alto Networks, Fortinet, and F5 products.
This incident highlights the importance of keeping up-to-date with security patches and staying vigilant against emerging threats. As Finkelstein noted, "We have observed indications that exploitation has been limited to a relatively small number of targeted organizations (several dozen globally), primarily over the past few days."
Despite this, the fact that attackers were able to exploit this vulnerability for an extended period before its fix was released is a concerning reminder of the ongoing threat landscape. It's essential for organizations to prioritize cybersecurity and remain proactive in addressing emerging vulnerabilities.
In light of this incident, Check Point's decision to release an emergency fix as soon as possible is laudable. The company's swift action will undoubtedly help minimize the impact of this vulnerability on its customers and prevent potential attacks from gaining traction.
As we continue to navigate the complex and ever-evolving world of cybersecurity, it's crucial that organizations remain vigilant and adapt quickly to emerging threats. By staying informed and taking proactive steps to address vulnerabilities like CVE-2026-50751, businesses can reduce their risk exposure and ensure the security of their networks and data.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Month-Long-Head-Start-How-Attackers-Exploited-a-Critical-Vulnerability-in-Check-Point-VPN-Before-Its-Fix-Was-Released-ehn.shtml
https://www.theregister.com/cyber-crime/2026/06/08/attackers-had-month-long-head-start-on-patched-check-point-vpn-zero-day/5252438
Published: Wed Jun 10 09:56:28 2026 by llama3.2 3B Q4_K_M
