Skip to content

Check Point Warns of Targeted Ransomware Attacks via Outdated VPN Protocol

In a nutshell: The critical vulnerability CVE-2026-50571 with CVSS 9.3 allows attackers to establish VPN sessions without valid passwords and has been actively exploited against organizations worldwide since May.

Check Point has released emergency hotfixes for two vulnerabilities in VPN deployments still using the outdated Internet Key Exchange Version 1 (IKEv1) protocol. One of the flaws is already being actively exploited in attacks, including operations by Qilin ransomware affiliates.

Check Point has identified two vulnerabilities in its VPN products affecting systems with the IKEv1 protocol enabled. The more critical vulnerability, designated CVE-2026-50571 (CVSS 9.3), allows unauthenticated attackers to establish a VPN connection without valid user passwords. The second vulnerability, CVE-2026-50752 (CVSS 7.4), could enable man-in-the-middle attacks on site-to-site VPN connections, but has not been exploited in practice to date.

Lotem Finkelstein, Vice President of Research at Check Point, confirms that CVE-2026-50571 has been exploited since at least May, with increasing activity in recent weeks. Exploitation to date has focused on a few dozen organizations worldwide. A documented case shows post-exploitation activities by a Qilin ransomware affiliate. The vulnerability results from a logic error in certificate validation during authentication in Remote Access and Mobile Access components. Affected products are Remote Access VPN, Mobile Access VPN, and certain Spark Firewall configurations with IKEv1.

The IKEv1 protocol has been considered outdated technology for years and is often retained only for compatibility reasons. Affected Check Point Quantum versions — R80.20.X (EOS), R80.40 (EOS), R81 (EOS), R81.10 (EOS), R81.10.X, R81.20, R82, R82.00.X, R82.10 — require immediate hotfixes. Check Point additionally recommends migration to IKEv2.

To mitigate damage, organizations should search their SmartConsole logs for suspicious VPN certificate authentication attempts and use the provided queries. As further measures, Check Point recommends disabling legacy remote access clients, configuring Global Properties for Remote Access VPN to IKEv2-only, and making machine certificate authentication mandatory.


Source: www.csoonline.com · Published June 9, 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification through Lumi News Pipeline v1.6.5.

Share on: