Ethical Hacking News
Check Point warns of a critical vulnerability in IKEv1 VPN protocols that allows attackers to bypass user authentication and gain access to internal resources. Organizations using affected systems are advised to take immediate action to secure their networks.
Check Point's Remote Access VPN and Mobile Access deployments configured with Internet Key Exchange version 1 (IKEv1) key exchange protocol are vulnerable to a critical security breach.A logic flow weakness in certificate validation allows an unauthenticated attacker to bypass user authentication and gain unauthorized access.The vulnerability affects various Check Point products and versions, including Security Gateways and Spark Firewalls.The successful exploitation of this vulnerability requires specific conditions to be met, including the presence of legacy Remote Access clients.Check Point has observed indications of suspicious activity starting on June 4, 2026, with exploitation efforts currently targeting a few dozen organizations globally.The attackers may use virtual private servers (VPS) infrastructure to conduct attacks and download malicious files from actor-controlled infrastructure.
A recent discovery has exposed a critical vulnerability in Check Point's Remote Access VPN and Mobile Access deployments configured to use the deprecated Internet Key Exchange (IKE) version 1 (IKEv1) key exchange protocol. This vulnerability, tracked as CVE-2026-50751 with a CVSS score of 9.3, represents a significant threat to organizations relying on these systems for secure remote access.
The vulnerability lies in a logic flow weakness in certificate validation, which allows an unauthenticated remote attacker to bypass user authentication and establish a remote access VPN connection without a valid user password. This enables the attacker to gain unauthorized access to internal resources or escalate privileges, potentially leading to serious security breaches. Check Point has warned that exploitation of this vulnerability is active and that targeted organizations are already being impacted.
The impact of this vulnerability affects various products and versions of Check Point's Security Gateways and Spark Firewalls, including:
* Security Gateways: R82.10 Jumbo Hotfix Take 19 or below, R82 Jumbo Hotfix Take 103 or below, R81.20 Jumbo Hotfix Take 141 or below, R81.10 (EOS), R81 (EOS), and R80.40 (EOS)
* Spark Firewalls: R80.20.X (EOS), R81.10.X, and R82.00.X
The successful exploitation of this vulnerability requires several conditions to be met:
1. VPN Remote Access or Mobile Access is enabled
2. IKEv1 is enabled for remote access
3. Gateways accept legacy Remote Access clients
4. Gateways do not demand a machine certificate for connections
Check Point has observed indications of suspicious activity starting on June 4, 2026, with the earliest recorded exploitation dating back to May 7, 2026. It's noted that exploitation efforts have ramped up since then and are currently limited to a few dozen targeted organizations globally.
In one instance, post-exploitation phases were associated with a Qilin ransomware affiliate. Check Point has identified indicators suggesting that the actor may use the Tox protocol for communication, which is commonly used by financially motivated ransomware actors.
A key aspect of this threat is the use of virtual private servers (VPS) infrastructure to conduct attacks. This involves relying on VPS servers geolocated in a particular country to target organizations within its borders. Once access was established, attackers were found attempting to download malicious ELF files from actor-controlled infrastructure.
This vulnerability overlaps with another report from Ctrl-Alt-Intel last month, which highlighted the ransomware crew's abuse of corporate VPN appliances for initial access. Check Point Research has also uncovered a second vulnerability, CVE-2026-50752 (CVSS score: 7.40), which may allow an adversary-in-the-middle (AitM) attack on VPN site-to-site connections. However, there is no evidence that the latter flaw has been exploited in real-world attacks.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-50751 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch agencies to apply fixes by June 11, 2026.
Related Information:
https://www.ethicalhackingnews.com/articles/Critical-Vulnerability-in-IKEv1-VPN-Protocols-Exposed-to-Bypass-User-Authentication-ehn.shtml
https://thehackernews.com/2026/06/critical-check-point-vpn-flaw-exploited.html
https://nvd.nist.gov/vuln/detail/CVE-2026-50751
https://www.cvedetails.com/cve/CVE-2026-50751/
https://nvd.nist.gov/vuln/detail/CVE-2026-50752
https://www.cvedetails.com/cve/CVE-2026-50752/
Published: Wed Jun 10 15:47:55 2026 by llama3.2 3B Q4_K_M
