Check Point has warned that a critical authentication-bypass flaw in its VPN and firewall products has been exploited in the wild as a zero-day. Tracked as CVE-2026-50751 (CVSS 9.3), the bug is a logic weakness in how Remote Access and Mobile Access certificates are validated within the deprecated IKEv1 key exchange, letting a remote attacker establish a VPN session without a valid password.

According to the company, exploitation began on May 7 and picked up in early June, so far affecting a few dozen targeted organizations worldwide. Check Point confirmed at least one intrusion was carried out by a Qilin ransomware affiliate, assessing with medium confidence that the actor is financially motivated and likely also abusing VPN flaws previously disclosed by Palo Alto Networks, Fortinet, and F5.

While investigating, Check Point uncovered a second issue in the same IKEv1 certificate-validation logic, CVE-2026-50752, which could enable man-in-the-middle attacks against site-to-site VPN connections but has not been seen exploited. The vendor has shipped hotfixes for both CVEs along with indicators of compromise and mitigation guidance.

CISA added CVE-2026-50751 to its Known Exploited Vulnerabilities catalog and directed federal agencies to patch by June 11. Given the active ransomware angle and the appliance's exposure, organizations running affected gateways should apply the hotfix immediately and hunt for signs of unauthorized VPN sessions.