Check Point is warning customers that a critical authentication-bypass weakness in its VPN and firewall gateways has been abused in the wild as a zero-day. Tracked as CVE-2026-50751 (CVSS 9.3, CWE-287), the flaw lets a remote attacker complete a VPN handshake and be authenticated as a legitimate Remote Access user — no password, certificate, or private key required. The vendor has confirmed at least one intrusion tied to a Qilin ransomware affiliate and has shipped hotfixes, indicators of compromise, and mitigation guidance.

What the flaw is

CVE-2026-50751 is a logic error in the way Check Point's Remote Access and Mobile Access components validate certificates during the deprecated IKEv1 key-exchange process. Because the certificate-validation routine can be tricked, a remote, unauthenticated attacker can finish the IKEv1 phase-1 negotiation and have the gateway treat them as a provisioned VPN user — effectively bypassing authentication entirely.

While digging into the root cause, Check Point found a second defect rooted in the same IKEv1 certificate-validation code: CVE-2026-50752. That bug could allow man-in-the-middle attacks against site-to-site VPN tunnels, but the company says it has not observed it being exploited. Hotfixes for both issues are now available.

Reference material for the primary CVE:

Exploitation timeline and the Qilin connection

According to Check Point, exploitation activity started on May 7 and ramped up in early June, hitting a few dozen targeted organizations around the world so far. The company verified that one of those break-ins was the work of a Qilin ransomware affiliate. It assesses with medium confidence that the operator is financially motivated and is probably also leveraging previously disclosed VPN vulnerabilities from Palo Alto Networks, Fortinet, and F5 as part of its toolkit.

Given the appliance's typical internet exposure and the active ransomware angle, internet-facing gateways running affected versions should be treated as a high-priority target.

Proof of concept

Researchers at watchTowr published a Detection Artefact Generator that confirms and demonstrates the bypass. The tool drives the deprecated IKEv1 phase-1 exchange and authenticates as a provisioned Remote Access user using a forged, self-signed certificate with an invalid signature — without a valid certificate, private key, or password. It operates over IKE on UDP 500/4500.

The script needs Python 3 and the cryptography package:


pip install cryptography

Running it against a target gateway looks like this:


python3 watchTowr-vs-Check-Point-CVE-2026-50751.py -rh vpn.example.com -u watchtowr

A successful run reports the bypass and leaks the gateway's internal IP:


[#] CVE-2026-50751 Check Point IKEv1 Remote-Access certificate-auth bypass
[+] Self-signed cert (untrusted); signature will be invalid (no private key)
[#] Connecting via udp ...
[#] Authenticating as 'watchtowr' with the forged certificate + invalid signature...
[#] Decrypting...
[+] Gateway Internal IP: 172.31.255.128
[+] [BYPASSED] Gateway authenticated us as 'watchtowr'. CVE-2026-50751 certificate-authentication bypass confirmed.

The [BYPASSED] line — the gateway authenticating the supplied username despite an invalid signature — is the signal that a host is vulnerable. (The 172.31.255.128 address above is the gateway's internal IP surfaced in the demo run, not a published indicator of compromise.)

Detection and mitigation

  • Apply the hotfixes. Check Point has released fixes for both CVE-2026-50751 and CVE-2026-50752; deploy them to affected gateways immediately.
  • Patch deadline. CISA added CVE-2026-50751 to its Known Exploited Vulnerabilities catalog and ordered federal civilian agencies to remediate by June 11.
  • Hunt for abuse. Review VPN authentication logs for unauthorized or unexpected Remote Access sessions, and apply the indicators of compromise and mitigation guidance published by Check Point.
  • Use the artefact generator above to safely confirm whether a given gateway still accepts the forged IKEv1 certificate after patching.

Because IKEv1 is deprecated and the attack rides the legacy key-exchange path, organizations that can disable or restrict IKEv1 in favor of newer key exchange should evaluate doing so as a defense-in-depth measure alongside the official hotfix.