In a nutshell: Unauthenticated attackers can gain VPN access without a password through a certificate verification flaw in IKEv1 configuration and are being exploited by ransomware groups.
A logic flaw in Check Point VPN systems (CVE-2026-50751, CVSS 9.3) allows attackers to bypass authentication and connect to internal corporate networks without a valid password. The vulnerability is already being actively exploited for ransomware campaigns.
The critical vulnerability CVE-2026-50751 affects Check Point Remote Access and Mobile Access VPN solutions in versions R80.40 through R82.10, as well as Spark firewalls. The flaw lies in a logic defect in certificate verification that only occurs when the IKEv1 key exchange protocol is enabled. An unauthenticated attacker from the internet can bypass password prompts and establish a connection to the internal network.
Check Point detected initial suspicious activity on June 4, 2026; retrospective analysis dates attacks to May 7, 2026. Since early June, attack attempts have intensified significantly. To date, attacks on several dozen organizations worldwide have been documented. In at least one case, a partner network of the Qilin ransomware group was involved following initial compromise. Attackers use geographically targeted VPS infrastructure and, after successfully establishing a VPN connection, download malicious ELF files to escalate privileges within the internal network. They also use the encrypted Tox protocol for communication. According to Check Point Research, there is no indication that the vulnerability was made available to other threat actors on a larger scale.
For a successful attack, several conditions must be met: VPN Remote Access or Mobile Access must be enabled, IKEv1 must be configured for remote access, gateways must accept older Remote Access clients, and no machine-specific certificate verification can be required for connections.
Additionally, during review of affected VPN components, Check Point discovered a second vulnerability, CVE-2026-50752 (CVSS 7.4), which could theoretically enable man-in-the-middle attacks on site-to-site connections. To date, there are no documented cases of this vulnerability being exploited in practice.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-50751 to its catalog of known exploited vulnerabilities (KEV) on June 8, 2026. U.S. federal civilian agencies are legally required to deploy security updates and hotfixes by June 11, 2026. The advisory suggests that the same attacker infrastructure could potentially be used for attacks on VPN systems from Palo Alto Networks, Fortinet, and F5.
Source: www.it-daily.net · Published June 9, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.5.