🌐 Network

CVE-2026-50751: Check Point Security Gateway Authentication Bypass Actively Exploited in Ransomware Campaigns

CISA added CVE-2026-50751 to the Known Exploited Vulnerabilities catalogue on 8 June with a three-day remediation deadline and confirmed ransomware campaign use. The vulnerability is a CVSS 9.3 authentication bypass in Check Point Security Gateway's IKEv1 VPN protocol handling that allows unauthenticated attackers to bypass remote access VPN authentication entirely. An emergency hotfix is available.

4 min read
#check-point#cve-2026-50751#vpn#authentication-bypass#ikev1#ransomware#cisa-kev#actively-exploited

Check Point disclosed CVE-2026-50751 on 8 June 2026 and CISA simultaneously added it to the Known Exploited Vulnerabilities catalogue with a three-day remediation deadline β€” one of the shortest BOD 22-01 windows ever issued, reflecting the severity and confirmed active exploitation in ransomware campaigns. The vulnerability is a CVSS 9.3 authentication bypass in the IKEv1 key exchange handling within Check Point Security Gateway, allowing an unauthenticated remote attacker to completely bypass remote access VPN authentication.

Organisations running Check Point Security Gateways with IKEv1 remote access VPN enabled should treat this as an emergency. The hotfix is available immediately from the Check Point support portal; no patch window justification will satisfy a CISA KEV with known ransomware use.

Vulnerability Details

CVE-2026-50751 exists in the IKEv1 (Internet Key Exchange version 1) protocol handling code within Check Point Security Gateway. IKEv1 is a legacy VPN key exchange protocol that Check Point supports for backward compatibility with older VPN clients; many organisations have IKEv1 enabled by default without actively using it.

The flaw is in the key exchange authentication verification logic. An attacker who sends a malformed IKEv1 Phase 1 authentication packet can trigger a code path in which the gateway accepts the connection as authenticated without validating the user’s credentials against the identity provider. The resulting session has the access rights associated with the authentication profile the connection matched β€” in default VPN configurations, this typically grants access to the internal network segments accessible to remote VPN users.

Technical details:

  • CVSS 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N): Network attack vector, low complexity, no privileges required, no user interaction, changed scope
  • Affected versions: Security Gateway R81.10 and R81.20, Spark (SMB) Firewalls running IKEv1 VPN
  • Not affected: CloudGuard Network (cloud-only), Quantum Spark with IKEv1 disabled, installations where IKEv1 has been explicitly disabled

Exploitation in the Wild

CISA’s KEV entry marks CVE-2026-50751 with knownRansomwareCampaignUse: Known β€” the highest-concern designation in the catalogue, indicating that at least one named ransomware group has incorporated the vulnerability into an active campaign. The three-day remediation deadline (11 June for FCEB agencies) reflects the operational urgency of active ransomware exploitation.

The attack pattern is consistent with other VPN gateway exploitation campaigns: automated scanning identifies internet-facing Check Point gateways with IKEv1 enabled, the authentication bypass is triggered to obtain VPN network access, and the attacker uses that access to laterally move within the enterprise network, establish persistence, exfiltrate data, and deploy the ransomware payload.

The IKEv1 exploit produces VPN network access equivalent to a legitimate remote user β€” internal routing access, no EDR detection of the initial access event (since no endpoint is involved), and potential access to network shares, Active Directory, and management interfaces accessible from the VPN segment.

Affected Products and Remediation

Determine if IKEv1 is enabled: From the Check Point SmartConsole or Gaia Management interface:

  • Navigate to Security Gateway object β†’ VPN tab β†’ Advanced Settings
  • Check whether IKEv1 is listed as an accepted proposal in the VPN community settings

Immediate option 1 β€” Disable IKEv1 (recommended if not in use): If your VPN clients exclusively use IKEv2 (most modern Check Point VPN clients default to IKEv2), disable IKEv1 support:

  • In SmartConsole: Gateway β†’ VPN β†’ Advanced β†’ Remove IKEv1 from accepted proposals
  • Apply policy

Disabling IKEv1 eliminates the vulnerability entirely without requiring a hotfix. Most organisations with modern VPN client deployments can safely disable IKEv1.

Immediate option 2 β€” Apply hotfix (if IKEv1 is required): Check Point advisory sk185033 provides an emergency hotfix for Security Gateway R81.10 and R81.20. The hotfix is available from the Check Point support portal and can be applied without a full firmware upgrade.

Verify patch application:

[Expert@gateway]# cpinfo -y all | grep -i hotfix
# Should show the sk185033 hotfix in the installed hotfix list

Forensic Review for Prior Exploitation

Given the short window between active exploitation and public disclosure, organisations should assume the vulnerability has been actively exploited against internet-facing Check Point gateways since before today’s disclosure. Review:

  1. VPN connection logs for the past 30 days: Identify IKEv1 session establishments from external IPs that are not in the expected user IP range
  2. Authentication logs: Look for VPN authentication events that do not correlate with user-initiated connections (unexpected times, unusual geographic sources)
  3. Internal network activity following VPN authentication events: Lateral movement from the VPN network segment β€” SMB connections to domain controllers, Active Directory enumeration, unusual RDP sessions β€” is the expected post-exploitation pattern

Check Point’s SmartLog provides unified log analysis. Query:

action:Allow AND protocol:IKE AND src_ip:[external IP range]

to identify all external IKEv1 connections in the review window.

Share this article