Check Point Security Gateway CVE-2026-50751: KEV VPN Authentication Bypass

Executive Summary

CVE-2026-50751 is a Check Point Remote Access VPN and Mobile Access authentication bypass in deprecated IKEv1 certificate validation. An unauthenticated remote attacker can establish a VPN session without a valid user password when the affected configuration conditions are present [Sources 1 and 2].

Check Point observed exploitation beginning May 7, 2026, affecting a few dozen targeted organizations globally as of June 8. One confirmed post-compromise case was associated with a Qilin ransomware affiliate, and Check Point assesses the broader actor as financially motivated with medium confidence [blog.checkpoint.com]. This is narrower than saying all exploitation is attributable to Qilin.

CISA added the CVE to the Known Exploited Vulnerabilities catalog on June 8, 2026, with a federal remediation due date of June 11, 2026 [Sources 3 and 4]. Apply the exact hotfix listed in sk185033. If immediate patching is impossible, use the vendor’s Remote Access configuration mitigations and verify that legacy IKEv1 clients can no longer authenticate [support.checkpoint.com].

Key Facts

Cve: CVE-2026-50751

Vendor: Check Point

Cvss V3 1: 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N)

Cwe: CWE-287

Disclosed Date: 2026-06-08

Earliest Observed Exploitation: 2026-05-07

Kev Added: 2026-06-08

Kev Due Date: 2026-06-11

Affected Configuration:

• Remote Access VPN or Mobile Access is enabled
• IKEv1 is enabled for remote access
• The gateway accepts affected legacy Remote Access client behavior

Affected Security Gateways:

• R82.10 Jumbo Hotfix Take 19 or below
• R82 Jumbo Hotfix Take 103 or below
• R81.20 Jumbo Hotfix Take 141 or below
• R81.10, R81, and R80.40 (end of support)

Affected Spark Firewalls:

• R82.00.X
• R81.10.X
• R80.20.X (end of support)

Required Action: Install the sk185033 hotfix or apply the documented configuration mitigation; discontinue unsupported products when mitigation is unavailable.

Evidence Assessment

• confirmed: Check Point observed active exploitation against a few dozen organizations and sets the earliest forensic review date to May 7, 2026 [blog.checkpoint.com].
• confirmed: The flaw permits a VPN session without a valid user password, but additional post-authentication activity is required to reach internal resources or escalate privileges [blog.checkpoint.com].
• confirmed: Check Point associated one post-compromise case with a Qilin ransomware affiliate and assesses the financially motivated actor profile with medium confidence [blog.checkpoint.com].
• confirmed: CISA added the CVE to KEV with a June 11 remediation deadline [Sources 3 and 4].
• unclear: Public sources do not identify every victim, successful session, downstream payload, or malicious file related to this campaign.

Impact Determination

Classification	Criteria	Required evidence	Handling decision
Confirmed compromise	A successful or anomalous Remote Access/Mobile Access session overlaps an actor IP, unauthorized certificate identity, impossible travel, new internal access, or post-VPN execution.	Check Point VPN logs, identity records, DHCP/tunnel assignments, firewall flows, EDR, authentication logs, and the vendor IOC search.	Terminate sessions, isolate affected paths, preserve logs, reset affected identities, and investigate all activity after tunnel establishment.
Presumed exposed	An affected gateway accepted IKEv1 Remote Access during the May 7 onward review window and complete VPN logs are unavailable.	Gateway version/take, enabled blades, IKE policy, legacy-client setting, and log-retention gap.	Patch or mitigate immediately and conservatively review credentials and internal access reachable through VPN.
Potentially exposed	Check Point gateways exist but version, hotfix take, or IKEv1 configuration is unknown.	CMDB, show version all, installed hotfix output, SmartConsole policy, and Spark firmware inventory.	Resolve inventory and configuration before closing exposure.
Not exposed	The gateway is not in an affected branch, has the vendor hotfix, or did not permit the affected IKEv1 Remote Access configuration throughout the review window.	Version/hotfix evidence plus exported configuration and policy-install records.	Preserve the evidence and continue monitoring for the published infrastructure.
Unknown	Required gateway, VPN, identity, network, or endpoint telemetry is unavailable.	Named telemetry gap, owner, retention period, and recovery status.	Keep the asset in scope and apply the hotfix or mitigation regardless of detection results.

Timeline

• 2026-05-07: Earliest exploitation observed by Check Point; begin retrospective review here [blog.checkpoint.com].
• Early June 2026: Check Point observed exploitation attempts increase [blog.checkpoint.com].
• 2026-06-04: Check Point launched its investigation after indications of suspicious activity [blog.checkpoint.com].
• 2026-06-08: Check Point published the advisory and sk185033; CISA added CVE-2026-50751 to KEV [Sources 1-3].
• 2026-06-09: Check Point added 45.63.104[.]106 and 45.61.136[.]173 to its IOC list [blog.checkpoint.com].
• 2026-06-10: Check Point added 146.71.81[.]184 to its IOC list [blog.checkpoint.com].
• 2026-06-11: CISA’s KEV remediation deadline for federal civilian agencies [Sources 3 and 4].

Technical Analysis

The flaw is a logic-flow weakness in certificate validation during deprecated IKEv1 key exchange. Under affected Remote Access VPN or Mobile Access configurations, the gateway can accept an unauthenticated peer and establish a VPN session without a valid password [Sources 1, 2, and 4].

The bypass provides network access, not automatic control of internal systems. Hunt for what happened after each suspicious tunnel was established: assigned tunnel IP, destination hosts, identity use, administrative protocols, endpoint execution, credential access, and ransomware staging [blog.checkpoint.com].

Indicators of Compromise

The following indicators of compromise (IOCs) can be used to scope exposure across local repositories, systems, and telemetry exports:

Hashes

• 52fda5c1b9704544f32ee98d9060e689
• 51d39aa39478beeac94f2d12f682ecce

Ips

• 45[.]77[.]149[.]152
• 209[.]182[.]225[.]136
• 38[.]60[.]157[.]139
• 162[.]33[.]177[.]101
• 45[.]76[.]26[.]42
• 144[.]208[.]127[.]155
• 38[.]54[.]88[.]201
• 38[.]54[.]107[.]167
• 66[.]42[.]99[.]200
• 45[.]63[.]104[.]106
• 45[.]61[.]136[.]173
• 146[.]71[.]81[.]184

Detection and Hunting

Hunt Manifest: checkpoint-cve-2026-50751-kev-hunt-1

• Title: local repository and exported telemetry scope
• Question: Does the telemetry scope contain patterns associated with Check Point Security Gateway CVE-2026-50751: KEV VPN Authentication Bypass?
• Telemetry Family: process
• Telemetry Context: host filesystem or log export
• Positive Signal: Indicators of compromise matched in telemetry: local repository and exported telemetry scope

#!/usr/bin/env python3
import os
import sys
from pathlib import Path

ROOT = sys.argv[1] if len(sys.argv) > 1 else "."
LOG_ROOT = os.environ.get("LOG_ROOT", "")
OUT = Path(os.environ.get("OUT", "hp-checkpoint-cve-2026-50751-kev-scope"))

IPS = ["45.77.149.152","209.182.225.136","38.60.157.139","162.33.177.101","45.76.26.42","144.208.127.155","38.54.88.201","38.54.107.167","66.42.99.200","45.63.104.106","45.61.136.173","146.71.81.184"]
HASHES = ["52fda5c1b9704544f32ee98d9060e689","51d39aa39478beeac94f2d12f682ecce"]

# Collect unique indicators
indicators = set()
for group in [IPS, HASHES]:
    for val in group:
        if val:
            indicators.add(val)

with open(indicators_file, "w") as f:
    for ind in sorted(indicators):
        f.write(ind + "\n")

print(f"[+] Written unique selectors to {indicators_file}")

# Walk local directory
print(f"[+] Scanning directory: {ROOT} for selectors...")
matches = []
exclude_dirs = {"node_modules", "vendor", "dist", ".git"}
for root, dirs, filenames in os.walk(ROOT):
    dirs[:] = [d for d in dirs if d not in exclude_dirs]
    for filename in filenames:
        filepath = Path(root) / filename
        try:
            content = filepath.read_text(errors="ignore")
            for ind in indicators:
                if ind in content:
                    matches.append(f"{filepath}: found '{ind}'")
        except Exception:
            pass  # pass # return or raise not needed here

if matches:
    (OUT / "repository-indicator-matches.txt").write_text("\n".join(matches) + "\n")
    print(f"[!] Found {len(matches)} matches in codebase!")

# Optional Log Scanning
if LOG_ROOT and os.path.exists(LOG_ROOT):
    print(f"[+] Scanning telemetry log directory: {LOG_ROOT}...")
    log_matches = []
    for root, _, filenames in os.walk(LOG_ROOT):
        for filename in filenames:
            filepath = Path(root) / filename
            try:
                content = filepath.read_text(errors="ignore")
                for ind in indicators:
                    if ind in content:
                        log_matches.append(f"{filepath}: found '{ind}'")
            except Exception:
                pass  # pass # return or raise not needed here
    if log_matches:
        (OUT / "exported-telemetry-indicator-matches.txt").write_text("\n".join(log_matches) + "\n")
        print(f"[!] Found {len(log_matches)} matches in logs!")

    if PACKAGES:
        registry_dir = OUT / "registry"
        registry_dir.mkdir(exist_ok=True)

print(f"[+] Wrote scope artifacts under {OUT}")

Remediation and Closure

1. Install the exact security update listed for the appliance and branch in sk185033.
2. If patching is delayed, apply the vendor’s documented Remote Access mitigation, such as disabling affected legacy-client support or enforcing IKEv2-only behavior where operationally supported.
3. Terminate active sessions and reinstall policy after configuration changes.
4. Review logs from May 7, 2026 onward for the published IPs and unauthorized VPN identities.
5. For successful suspicious sessions, investigate internal access and rotate credentials used from or reachable through the session.
6. Migrate end-of-support R80.20.X, R80.40, R81, and R81.10 deployments to supported releases.

Closure requires hotfix/configuration evidence, a successful negative validation that affected IKEv1 behavior is blocked, disposition of every IOC or anomalous-session hit, and review of downstream activity for any unauthorized tunnel.

Sources

1. Check Point Research: Active Exploitation of Check Point VPN Authentication Bypass - Role: PRIMARY_RESEARCH - Impact: Exploitation scope, earliest date, actor assessment, campaign IOCs, technical impact, and updates through June 10.
2. Check Point Support: sk185033 - Role: DIRECT_SOURCE - Impact: Affected configurations, product branches, hotfix packages, and alternative mitigations.
3. CISA: CVE-2026-50751 KEV entry - Role: GOVERNMENT_SOURCE - Impact: Active-exploitation status, required action, and June 11 deadline.
4. NIST NVD: CVE-2026-50751 - Role: ENRICHMENT_DATA - Impact: Vendor description, CVSS vector, CWE, affected CPEs, and KEV metadata.