Check Point ties VPN zero-day exploits to Qilin ransomware group
▼ Summary
– Check Point released security updates for a critical authentication bypass vulnerability (CVE-2026-50751) affecting Remote Access VPN and Mobile Access deployments, which was exploited in zero-day attacks.
– The flaw allows unauthenticated, remote attackers to bypass authentication and establish a remote access VPN connection, but only affects deployments using the deprecated IKEv1 key exchange protocol.
– Active exploitation began on May 7 and surged in early June, impacting a few dozen organizations globally, with at least one incident linked to the Qilin ransomware operation.
– Check Point also discovered a second vulnerability (CVE-2026-50752) in the deprecated IKEv1 protocol that enables man-in-the-middle attacks on site-to-site VPN connections, though no active exploitation has been observed.
– Qilin, the ransomware group behind some attacks, has operated as a RaaS since August 2022 and claimed nearly 400 victims, including high-profile organizations like Nissan and Asahi.
Israeli cybersecurity firm Check Point has rolled out security patches addressing a critical vulnerability in its Remote Access VPN and Mobile Access products, which attackers have already exploited in zero-day attacks.
Designated as CVE-2026-50751, this flaw enables unauthenticated, remote attackers to bypass authentication on targeted Mobile Access or SSL VPNs, Remote Access VPNs, or Spark firewalls, allowing them to establish a remote access VPN connection. The vulnerability specifically impacts deployments that still use the deprecated IKEv1 key exchange protocol, along with security gateways that accept legacy Remote Access clients and do not require a machine certificate for connections.
The exploitation campaign began on May 7, escalated sharply in early June, and has so far affected only “a few dozen” organizations worldwide. At least one confirmed incident has been linked to the Qilin ransomware operation.
“Check Point Research has identified active exploitation of CVE-2026-50751, a critical authentication bypass vulnerability affecting Check Point Remote Access VPN and Mobile Access deployments configured to use the deprecated IKEv1 key exchange protocol,” the company stated. “To date, the observed exploitation has been limited to a few dozen targeted organizations globally. One case involved confirmed post-compromise activity associated with Qilin ransomware affiliate. Customers using IKEv1 key exchange protocol are strongly encouraged to apply the available security updates immediately.”
For those unable to patch immediately, Check Point has provided mitigation measures: remove support for the legacy remote access client, configure global properties for Remote Access VPN Authentication to use only IKEv2, make Machine Certificate Authentication mandatory, and enable IPS along with downloading the latest signatures.
While investigating CVE-2026-50751, researchers also uncovered a second vulnerability, tracked as CVE-2026-50752. This flaw affects certificate validation in the deprecated IKEv1 key exchange and could be exploited in man-in-the-middle attacks on site-to-site VPN connections. Although no evidence of exploitation in the wild has been found yet, Check Point advises customers to apply updates to reduce potential risk.
Qilin first emerged in August 2022 as a Ransomware-as-a-Service (RaaS) operation under the name “Agenda.” Since then, it has claimed responsibility for nearly 400 victims listed on its dark web leak site. The group’s high-profile targets include automotive giant Yangfeng, Nissan, Japanese beer company Asahi, publishing conglomerate Lee Enterprises, pathology services provider Synnovis, and Australia’s Court Services Victoria.
(Source: BleepingComputer)
