Cyber security firm Check Point has disclosed a critical-severity vulnerability in several of its VPN and firewall products that has been actively exploited since at least 7 May 2026, with exploitation increasing into June.
CVE-2026-50751 was initially disclosed on 8 June and added to the US Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities Catalog soon after.
The vulnerability is a critical authentication bypass flaw that impacts Check Point Remote Access VPN and Mobile Access deployments that have been configured to use the deprecated IKEv1 key exchange protocol.
“A logic flow weakness in Remote Access and Mobile Access certificate validation in deprecated IKEv1 key exchange allows an unauthenticated remote attacker to bypass user authentication and establish a remote access VPN connection without a valid user password,” according to the vulnerability’s CVE record.
According to Check Point’s advisory, exploitation has been limited to “a few dozen targeted organisations globally”. One case, however, appears to be linked to post-compromised activity usually associated with the Qilin ransomware-as-a-service operation.
“Based on the post-exploitation activity we observed, we assess with medium confidence that the actor behind the exploitation of CVE-2026-50751 is financially motivated, and uses Qilin ransomware,” Check Point said in its advisory.
“We believe that this threat actor infrastructure is exploiting other VPN related vulnerabilities, such as the ones published by Palo Alto, Fortinet and F5.”
CVE-2026-50751 has a CVSS score of 9.3 and impacts the following versions of Mobile Access / SSL VPN, Remote Access VPN, and Spark Firewall: R80.20.X (EOS), R80.40 (EOS), R81 (EOS), R81.10 (EOS), R81.10.X, R81.20, R82, R82.00.X, and R82.10.
Cyber security firm Rapid7 noted in an 8 June blog post that hackers frequently target Check Point’s VPN products.
“In May 2024, CVE-2024-24919, a high-severity information disclosure vulnerability in Check Point Quantum Security Gateways, was exploited in the wild and subsequently added to the CISA Known Exploited Vulnerabilities (KEV) catalog,” Rapid7 said.
“Organisations running affected Check Point products are urged to apply the available hot fixes and follow the vendor guidance to remediate these issues.”
Check Point also shared details of a second vulnerability in the same disclosure, CVE-2026-50752. While this flaw could lead to a man-in-the-middle attack, the company said it had found no evidence of any active exploitation to date.
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.