Computer Works Computer Works
Call
Cybersecurity

Critical Check Point VPN Flaw Is Being Actively Exploited — Here's How to Tell If You're Affected and What to Do Now

A critical authentication bypass vulnerability in Check Point VPN is being actively exploited by a Qilin ransomware affiliate. Here's what the flaw is, who's at risk, and the immediate steps to take.

Critical Check Point VPN Flaw Is Being Actively Exploited — Here's How to Tell If You're Affected and What to Do Now

If your business uses Check Point's Remote Access VPN or Mobile Access, stop what you're doing and read this. A critical, actively exploited vulnerability is allowing attackers to walk right past your VPN password — no credentials required — and at least one ransomware gang is already using it.

What Is CVE-2026-50751?

The Hacker News reports that Check Point has issued an urgent warning about CVE-2026-50751, a vulnerability scoring 9.3 out of 10 on the CVSS severity scale. That's about as serious as it gets.

The flaw lives in a logic error inside the certificate validation process of Check Point's VPN products. In plain English: when your VPN gateway is configured to use the IKEv1 key exchange protocol (an older, now-deprecated standard), an attacker on the internet — without any username or password — can trick the system into accepting their connection as legitimate. They effectively get a valid VPN session handed to them for free.

Once inside the network perimeter, Help Net Security notes that additional post-authentication steps are still required to reach internal resources or escalate privileges. But that's cold comfort — getting past the front door is the hardest part, and this flaw eliminates that barrier entirely.

A second, related vulnerability — CVE-2026-50752 (CVSS score: 7.40) — has also been uncovered, which could allow an adversary-in-the-middle attack on VPN site-to-site connections. Check Point has found no evidence that this second flaw has been exploited yet.

Who Is Doing the Attacking?

According to Check Point's disclosure covered by Help Net Security, the known confirmed post-compromise activity has been linked to a Qilin ransomware affiliate — a financially motivated threat actor. The attacker is believed to be using the Rclone open-source tool to exfiltrate data, and possibly the Tox protocol for communications, a pattern commonly associated with ransomware crews.

Critically, this appears to be the same threat actor infrastructure targeting VPN vulnerabilities across multiple vendors. Check Point specifically noted: "We believe that this threat actor infrastructure is exploiting other VPN related vulnerabilities such as the ones published by Palo Alto, Fortinet and F5." That's not a coincidence — it's a systematic, opportunistic campaign sweeping through unpatched VPN appliances across the internet.

The attacks used a dedicated virtual private server (VPS) infrastructure, with The Hacker News noting that VPS servers were geolocated to match the geography of their targeted victims — a deliberate tactic to blend traffic in with local network patterns.

When Did This Start?

Check Point first observed suspicious activity on June 4, 2026, but forensic investigation traced the earliest confirmed exploitation back to May 7, 2026 — meaning attackers had over a month's head start before the vulnerability was publicly disclosed. Exploitation activity ramped up significantly in early June. So far, exploitation has been limited to a "few dozen targeted organizations globally," but that number will grow as awareness of the vulnerability spreads to less sophisticated attackers.

Are You Affected? Check These Conditions

This vulnerability only fires under a specific set of conditions. You're at risk if all of the following are true for your environment:

  • You're running Check Point Remote Access VPN or Mobile Access
  • Your gateway is configured to use the IKEv1 protocol for remote access
  • Your gateways accept legacy Remote Access clients
  • Your gateways do not require a machine certificate for connections

The affected product versions, per The Hacker News, include:

  • Security Gateways: R82.10 Jumbo Hotfix Take 19 or below, R82 Jumbo Hotfix Take 103 or below, R81.20 Jumbo Hotfix Take 141 or below, R81.10 (End of Support), R81 (End of Support), R80.40 (End of Support)
  • Spark Firewalls: R80.20.X (End of Support), R81.10.X, and R82.00.X

Notably, the Spark firewall line is marketed specifically toward small and medium-sized businesses and managed service providers — meaning this isn't just a concern for large enterprises.

What to Do Right Now

Step 1: Check your configuration. Log into your Check Point management console and verify whether IKEv1 is enabled for remote access. If you're not sure how to do this, loop in your IT team immediately.

Step 2: Apply the available patches. Check Point has released hotfix updates for supported versions. Upgrade to:

  • R82.10 Jumbo Hotfix Take 20 or above
  • R82 Jumbo Hotfix Take 104 or above
  • R81.20 Jumbo Hotfix Take 142 or above

If you're running an End of Support version (R81.10, R81, R80.40, or R80.20.X), upgrading to a supported release is now urgent — not optional.

Step 3: Apply configuration mitigations if patching is delayed. Per Help Net Security, you can reduce your exposure by:

  • Disabling the deprecated IKEv1 key exchange protocol
  • Removing support for legacy Remote Access client connections
  • Requiring a machine certificate for all gateway connections

Step 4: Hunt for indicators of compromise. Check Point has published IoCs for this campaign. Incident response teams should audit forensic logs starting from May 7, 2026 — the earliest confirmed exploitation date. Look for unusual VPN session activity, unexpected ELF file downloads from external infrastructure, and any connections from IPs associated with hosting providers Kaupo Cloud HK, Shock Hosting, or Vultr Holdings.

Step 5: Don't forget the second CVE. Even though CVE-2026-50752 hasn't been exploited yet, patch it while you're in there. Unpatched secondary vulnerabilities often become primary attack vectors once attackers learn what defenders are focused on.

The Bigger Picture for Small Businesses

If you're running a Spark firewall — Check Point's SMB-focused product line — you're in the crosshairs of this campaign just as much as any large enterprise. Ransomware affiliates aren't picky about company size; they're picky about whether your VPN is patched.

This campaign also fits a disturbing pattern we've covered recently: the same threat actor infrastructure appears to be chaining together vulnerabilities across Palo Alto, Fortinet, F5, and now Check Point products. If your business relies on any VPN appliance, now is a good time to audit every device in your stack.

If you need help auditing your VPN configuration, identifying whether you're running an affected version, or working through the patch process, we're here. You can also explore our /business IT support services for ongoing help keeping your network security up to date.

Recommended
Proton VPN
Proton VPN
Protect your browsing
Proton Mail
Proton Mail
Encrypted email
Related local service
Worried this could be malware?
If your computer has pop-ups, redirects, suspicious downloads, or ransomware warnings, start with our local virus removal page.
Call Us View virus removal
Tags
cybersecurity vulnerability small-business-it patch-management web-security
← Back to all posts