Check Point VPN Zero-Day Exploited in Qilin Ransomware Attacks

Check Point VPN Zero-Day Exploited in Qilin Ransomware Attacks

https://www.securityweek.com/check-point-vpn-zero-day-exploited-in-qilin-ransomware-attacks/

Publish Date: 2026-06-09 05:47:10

Source Domain: www.securityweek.com

Vulnerability Exploited in Check Point’s VPN and Firewall Products

On Monday, Check Point warned about a critical-severity authentication bypass vulnerability, tracked as CVE-2026-50751, that affects its VPN and firewall products. Identified as a logic flaw, the weakness impacts the validation process of Remote Access and Mobile Access certificates within the deprecated IKEv1 key exchange, allowing attackers to establish VPN sessions without valid credentials. It has been actively exploited since May 7, mainly targeting a few dozen organizations globally. Moreover, Check Point believes there is medium confidence that one of the groups exploiting this vulnerability could be financially motivated and affiliated with the Qilin ransomware. During their investigation, the company also found a secondary issue (CVE-2026-50752), involving certificate validation logic that could enable man-in-the-middle attacks but which has not yet been exploited in the wild. Check Point has patched both issues, issued mitigation advice, and provided indicators of compromise. The US Cybersecurity and Infrastructure Security Agency (CISA) has also listed the primary vulnerability in its Known Exploited Vulnerabilities database, urging federal agencies to apply the necessary fixes by June 11.

Key Points:

• Threat: Critical-severity authentication bypass vulnerability in Check Point’s VPN/firewall products (CVE-2026-50751, CVSS score of 9.3).
• Vulnerability: Logic flaw in certificate validation within deprecated IKEv1 key exchange.
• Exploitation: Actively exploited in the wild since May 7 by potentially financially motivated actors linked to the Qilin ransomware.
• Additional vulnerability: Man-in-the-middle attack risk (CVE-2026-50752) discovered but not exploited yet.
• Response: Check Point provided hotfixes, indicators of compromise, and mitigation guidance; CISA added CVE-2026-50751 to its Known Exploited Vulnerabilities catalog, urging federal agencies to patch by June 11.