Ransomware hackers have spent the past month sneaking into corporate networks by exploiting a critical flaw in Check Point VPNs that lets them bypass the password screen entirely.
The vulnerability, tracked as CVE-2026-50751, carries a near-maximum CVSS severity rating of 9.3 out of 10. According to a vendor security advisory, a logic flaw in the certificate validation process allows an unauthenticated remote attacker to successfully establish a VPN session without providing a valid user password.
While Check Point Research formally launched an investigation on June 4, 2026, after spotting suspicious activity, forensic evidence reveals that attackers have been quietly exploiting the zero-day since May 7, 2026. The vendor noted that exploitation attempts spiked significantly in early June, spreading across multiple jurisdictions.
The Qilin connection
Check Point has confirmed that at least one network intrusion involved post-compromise activity tied directly to an affiliate of the Qilin ransomware syndicate. Security analysts assess with “medium confidence” that the culprit is a financially motivated actor using Qilin ransomware binaries and targeting corporate VPN appliances as a preferred method for initial network access.
Defenders tracking the threat actor’s infrastructure observed several distinct patterns:
- VPS masking: The hackers deployed dedicated virtual private servers (VPS) hosted by providers like Vultr Holdings, Shock Hosting, and Kaupo Cloud HK. Attackers frequently matched the geolocation of their VPS infrastructure to the physical geography of their targets, for example, using Taiwan-based infrastructure to target Taiwanese organizations.
- Alternative exploits: Evidence suggests this same threat actor infrastructure is actively probing and exploiting known VPN flaws in competing edge products from F5, Fortinet, and Palo Alto Networks.
- Evasive comms: The actor showed indicators of using the open-source peer-to-peer Tox protocol for communication and of attempting to download malicious ELF files from external servers.
Despite the month-long head start for attackers, Check Point clarified that the blast radius remains contained, characterizing the campaign as “limited to a few dozen targeted organizations globally.”
Technical scope and AI discoveries
The flaw explicitly targets Remote Access VPN, Mobile Access/SSL VPN, and Spark Firewall deployments that still rely on the legacy Internet Key Exchange version 1 (IKEv1) key exchange protocol, a standard created in 1998 and deprecated for years in favor of IKEv2.
For a system to be vulnerable, four operational criteria must be met at the same time: Remote Access or Mobile Access must be turned on, IKEv1 must be active, the gateway must accept legacy remote access clients, and machine certificate authentication must not be enforced.
While investigating the primary threat, Check Point utilized its agentic AI application security platform, BLAST, to audit the legacy code. The AI analysis exposed a secondary flaw, CVE-2026-50752 (CVSS 7.4), that could enable an man-in-the-middle attack against site-to-site VPN tunnels.
Check Point said it “has not observed exploitation of this vulnerability in the wild” and credited the AI-assisted code review with catching the bug before threat actors could weaponize it.
Must-read security coverage
- UK Police Convicts Pair in £5.5 Billion Bitcoin Launder Case
- Blackpoint Cyber vs. Arctic Wolf: Which MDR Solution is Right for You?
- How GitHub Is Securing the Software Supply Chain
- 8 Best Enterprise Password Managers
Immediate mitigation mandated
The vulnerabilities impact a wide array of active and end-of-support (EOS) Check Point firmware versions, stretching from R82.10 down to legacy R80.20.X, R80.40, R81, and R81.10 baselines. Because the vulnerable Spark line protects small and medium-sized businesses, the threat extends to resource-constrained environments as well as massive enterprise networks.
As a reflection of the severity, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-50751 to its Known Exploited Vulnerabilities catalog on June 9, 2026, ordering federal civilian executive branch agencies to patch or isolate the systems by June 11, 2026.
Check Point has released emergency hotfixes and urged administrators to review forensic logs back to the initial May 7 baseline.
Organizations unable to apply the hotfixes immediately can mitigate the flaw by switching encryption paths exclusively to IKEv2, removing support for legacy client connections, or making machine certificate authentication strictly mandatory.
Also read: A Hugging Face Transformers flaw could let malicious AI models trigger remote code execution and expose credentials in vulnerable environments.