On June 11, 2026 Check Point Research issued a critical security advisory after confirming that the deprecated IKEv1 key exchange protocol in its Remote Access VPN and Mobile Access products is being actively exploited by threat actors. The vulnerability – CVE-2026-50751 – allows an attacker to bypass user authentication through a logic flaw in certificate validation, enabling establishment of a VPN session without a valid password and granting initial network access.

The advisory also highlights a secondary weakness discovered during the investigation. CVE-2026-50752 affects the same IKEv1 certificate validation path and may enable a man‑in‑the‑middle attack on site‑to‑site VPNs under specific conditions, although no wild exploitation has been observed for this second vulnerability.

• Primary CVE: 2026-50751 – Authentication Bypass (CVSS 9.3)
• Secondary CVE: 2026-50752 – MitM on Site‑to‑Site VPN (CVSS 7.4)

Check Point’s investigation was complemented by the BLAST agentic AI Code Security Platform, which scanned the affected code base for additional weaknesses and confirmed the presence of CVE-2026-50752 before it could be weaponized.

• Attack timeline:
• June 4, 2026 – Initial investigation after suspicious activity was detected
• May 7, 2026 – Earliest observed exploitation date for CVE‑2026‑50751
• Early June 2026 – Noticeable increase in successful authentication bypass attempts
• June 11, 2026 – Public release of the security advisory and hotfixes

Actor profile:

• Motivation: Financially driven, likely seeking ransomware payment
• TTPs: Use of Qilin ransomware binaries for post‑exploitation activities
• Communication: Possible use of the Tox protocol for command and control
• Infrastructure: Dedicated VPS environments hosted by Kaupo Cloud HK, Shock Hosting, and Vultr Holdings
• Geographic targeting: Correlation between victim location (e.g., Taiwan) and attacker infrastructure geolocation
• Indicators: Attempts to download malicious ELF files from actor‑controlled servers following initial access

Indicators of Compromise (IOCs):

• IP addresses:
• 45.77.149.152
• 209.182.225.136
• 38.60.157.139
• 162.33.177.101
• 45.76.26.42
• 144.208.127.155
• 38.54.88.201
• 38.54.107.167
• 66.42.99.200
• 45.63.104.106
• 45.61.136.173
• 146.71.81.184
• 208.123.119.167
• 64.176.228.109
• 158.247.195.147
• 144.208.127.134
• File hashes:
• 52fda5c1b9704544f32ee98d9060e689
• 51d39aa39478beeac94f2d12f682ecce

Mitigation recommendations:

• Immediately apply the hotfixes for CVE‑2026‑50751 and CVE‑2026‑50752 to all affected Security Gateways, Remote Access VPNs, Mobile Access devices, and Spark Firewalls.
• If upgrading is not immediately possible, reconfigure remote‑access deployments to use IKEv2 or a stronger key exchange protocol; disable IKEv1 entirely.
• Review and harden certificate validation logic on all VPN endpoints; ensure that certificates are checked against trusted authorities only.
• Conduct forensic log audits starting from May 7, 2026 to detect any prior successful bypass attempts.
• Implement network segmentation so that a compromised remote user can’t reach critical internal assets without additional privilege escalation checks.
• Deploy intrusion detection systems with signatures for known Qilin ransomware activity and the listed IOCs.

For detailed instructions, reference the Check Point advisory pages:

• https://support.checkpoint.com/results/sk/sk185033 – CVE‑2026‑50751 hotfix
• https://support.checkpoint.com/results/sk/sk185035 – CVE‑2026‑50752 guidance

This advisory is classified as a high‑severity incident (CVSS 9.3) and carries a confidence level of 100 %. All affected customers are urged to act without delay, as active exploitation is already documented in the wild.