Computer Works Computer Works
Call
Cybersecurity

Qilin Ransomware Is Now Exploiting the Check Point VPN Flaw — Here's How to Tell If You're at Risk and What to Do

A Qilin ransomware affiliate is actively exploiting CVE-2026-50751, a critical Check Point VPN flaw that lets attackers bypass passwords entirely. Here's how to check your exposure and stop it.

Update: What's New Since Our Initial Report

We first covered the Check Point VPN vulnerability earlier this week. Since then, significant new details have emerged: Help Net Security has confirmed that a Qilin ransomware affiliate is behind at least one post-compromise incident, and Check Point has now disclosed a second related vulnerability (CVE-2026-50752). Researchers have also identified the specific infrastructure and tools being used in the attacks — details that make it much easier to spot an intrusion if it's already happened. Here's everything you need to know.

If your business uses Check Point VPN — whether for remote employees, mobile workers, or site-to-site connections — stop what you're doing and read this. A critical vulnerability is being actively exploited right now, ransomware groups are already involved, and some businesses were compromised weeks before the vulnerability was even publicly disclosed.

What Is CVE-2026-50751?

The Hacker News reports that CVE-2026-50751 carries a CVSS score of 9.3 out of 10 — placing it firmly in the critical category. The flaw lives inside the certificate validation logic for Check Point's Remote Access VPN and Mobile Access products. Under normal circumstances, a VPN connection requires a valid username and password. This vulnerability breaks that assumption entirely.

An unauthenticated remote attacker can exploit a logic flaw in how the system validates certificates to establish a full VPN session without ever providing a valid password. Once they're in, they still need to take additional steps to access internal resources or escalate privileges — but getting past the front door is the hard part, and this flaw hands it to them on a silver platter.

The catch? The vulnerability only activates under a specific set of conditions:

  • VPN Remote Access or Mobile Access is enabled
  • IKEv1 is enabled for remote access (IKEv1 is a deprecated key exchange protocol)
  • The gateway accepts legacy Remote Access clients
  • The gateway does NOT require a machine certificate for connections

If all four of those conditions are true in your environment, you are potentially exposed.

Which Products Are Affected?

According to The Hacker News, the following Check Point products and versions are impacted:

Security Gateways:

  • R82.10 — Jumbo Hotfix Take 19 or below
  • R82 — Jumbo Hotfix Take 103 or below
  • R81.20 — Jumbo Hotfix Take 141 or below
  • R81.10, R81, and R80.40 (all End-of-Support)

Spark Firewalls (marketed toward small and medium-sized businesses and MSPs):

  • R80.20.X (End-of-Support)
  • R81.10.X
  • R82.00.X

If you're a small or medium-sized business running Check Point Spark firewalls — a product line specifically designed for your market — pay close attention. This isn't just an enterprise problem.

Who Is Doing This — and How?

Check Point says it first noticed suspicious activity on June 4, 2026, but when investigators dug deeper, they found the earliest known attacks actually go back to May 7, 2026 — meaning some organizations were compromised a full month before the public disclosure.

Help Net Security reports that at least one confirmed post-compromise case has been attributed to a Qilin ransomware affiliate. The attacker's toolkit includes:

  • Rclone (an open-source cloud sync tool) used to quietly exfiltrate data before any ransom demand
  • Possible use of the Tox protocol for command-and-control communication — a pattern Check Point describes as common among financially motivated ransomware actors
  • Virtual Private Servers (VPS) hosted through Kaupo Cloud HK, Shock Hosting, and Vultr Holdings to route attacks and obscure the attacker's origin
  • In some cases, VPS servers were geolocated to match the victim's country — a deliberate tactic to make malicious traffic look local

After gaining VPN access, attackers were observed attempting to download malicious ELF files from attacker-controlled infrastructure, suggesting further payload deployment was part of the plan.

Check Point also noted that the same threat actor infrastructure appears to be targeting other VPN vulnerabilities from Palo Alto Networks, Fortinet, and F5 — reinforcing a pattern we've seen repeatedly this year where one ransomware crew systematically works through multiple known VPN flaws.

A Second Vulnerability Was Found

While investigating CVE-2026-50751, Check Point researchers uncovered a second flaw: CVE-2026-50752, with a CVSS score of 7.40. This one could allow an adversary-in-the-middle (AitM) attack on VPN site-to-site connections. The Hacker News notes there is currently no evidence this second flaw has been exploited in the wild, but it should be addressed in the same patching cycle.

Signs of Compromise to Watch For

Check Point has released indicators of compromise (IOCs). If your security or IT team is investigating, prioritize these:

  • Unusual VPN authentication logs — especially successful connections that preceded or bypassed normal password prompts
  • IKEv1 connection attempts from unfamiliar IP addresses, particularly from VPS hosting providers
  • Rclone process activity on internal systems — this tool should not be running unless your team put it there
  • Outbound connections to unfamiliar infrastructure from systems that don't normally make them
  • ELF file downloads on systems that shouldn't be downloading Linux binaries
  • Log entries dating back to May 7, 2026 — the earliest known exploitation date

Check Point recommends incident response teams start their forensic log audits from that date.

How to Patch or Mitigate Right Now

Option 1 — Patch (Preferred): Upgrade to the fixed hotfix versions:

  • R82.10: Jumbo Hotfix Take 20 or above
  • R82: Jumbo Hotfix Take 104 or above
  • R81.20: Jumbo Hotfix Take 142 or above

If you're running an End-of-Support version (R81.10, R81, R80.40, R80.20.X), upgrading to a supported release is your only long-term option.

Option 2 — Mitigate Without Patching: If an immediate upgrade isn't possible, Help Net Security outlines three mitigation steps you can take now:

  1. Disable IKEv1 for remote access — this breaks the attack chain entirely
  2. Remove support for legacy Remote Access client connections
  3. Require a machine certificate for all gateway connections

Any one of these removes a required condition for exploitation. Implementing all three is ideal.

What Yuba City Businesses Should Know

If your business uses Check Point VPNs — or if you work with a managed IT provider who set up your network — now is the time to ask directly: Are we running IKEv1? Have we checked our logs since May 7? Don't assume someone else already checked.

For local businesses managing their own network equipment, this is exactly the kind of situation where a quick configuration review can prevent a very expensive ransomware incident. If you're unsure whether your VPN setup is affected or need help reviewing your logs, we're happy to take a look — reach us at (530) 645-7007 or stop by 229 Clark Ave Suite E in Yuba City during our regular hours.

The window between "vulnerability disclosed" and "ransomware deployed" is shrinking. In this case, attackers had a month-long head start before most defenders even knew the flaw existed. The time to act is now.

Recommended
Proton VPN
Proton VPN
Protect your browsing
Proton Mail
Proton Mail
Encrypted email
Related local service
Worried this could be malware?
If your computer has pop-ups, redirects, suspicious downloads, or ransomware warnings, start with our local virus removal page.
Call Us View virus removal
Tags
cybersecurity vulnerability patch-management small-business-it web-security
← Back to all posts