Check Point said attackers are actively exploiting a critical flaw in Remote Access VPN and Mobile Access deployments that use the deprecated IKEv1 key exchange protocol, with observed activity dating back to May 7 and targeting a few dozen organizations worldwide. The issue, tracked as CVE-2026-50751 and rated 9.3, can let an unauthenticated attacker bypass user authentication and open a VPN session without a valid password.
KEY FACTS
- Vulnerability CVE-2026-50751 is a logic flow weakness in certificate validation.
- Impact Attackers can bypass authentication and establish a VPN connection without a valid password.
- Exposure The flaw affects certain Security Gateway and Spark Firewall versions with IKEv1 enabled.
- Observed activity Suspicious activity was first seen on June 4, with exploitation dating to May 7.
- Related issue A second flaw, CVE-2026-50752, may allow an adversary-in-the-middle attack on site-to-site VPN links.
According to a vendor security advisory, the problem affects Security Gateways on R82.10 Jumbo Hotfix Take 19 or below, R82 Jumbo Hotfix Take 103 or below, R81.20 Jumbo Hotfix Take 141 or below, and older end-of-support releases. It also affects Spark Firewalls running R80.20.X, R81.10.X and R82.00.X.
Successful attacks require VPN Remote Access or Mobile Access to be enabled, IKEv1 to be turned on for remote access, legacy clients to be accepted and a machine certificate not to be required. Check Point said the activity has been limited to a small number of targeted organizations and that one post-exploitation case was linked to a Qilin ransomware affiliate.
The company said attackers used VPS infrastructure geolocated to specific countries and tried to download malicious ELF files after gaining access. It also said the infrastructure may be tied to other VPN-related vulnerabilities and may use the Tox protocol for communication.
The report said there is no evidence that CVE-2026-50752 has been exploited in the wild. Check Point said the campaign appeared opportunistic and focused on vulnerable organizations rather than a single known target.
WHY IT MATTERS
The disclosure highlights how older VPN configurations can create a direct path into corporate networks even when passwords are not known. It also shows that attackers continue to scan for exposed appliances and move quickly after finding systems that still rely on legacy protocols.