Check Point Security Gateway Improper Authentication Vulnerability

CVE-2026-50751 is an authentication bypass vulnerability affecting Check Point Security Gateway Remote Access VPN and Mobile Access services. The flaw exists in deprecated IKEv1 Remote Access and Mobile Access certificate validation logic and can allow a remote attacker to establish a VPN session without supplying a valid password. Check Point has confirmed active exploitation in the wild and reported a limited number of targeted organizations globally, including at least one post-compromise case linked to a Qilin ransomware affiliate.

Technical Details

The vulnerability affects the authentication process used by deprecated IKEv1-based Remote Access VPN deployments.

A successful attacker can:

• Establish a VPN session without valid user credentials
• Gain an initial foothold inside the target environment
• Conduct follow-on activity including lateral movement and privilege escalation
• Deploy additional tooling or ransomware-related payloads after access is established

Check Point notes that successful exploitation grants VPN access but additional actions are required before an attacker can access internal resources or elevate privileges.

The vendor reports exploitation activity beginning on May 7, 2026, with activity increasing in early June and prompting public disclosure and remediation guidance.

Stop Guessing, Start Proving

NodeZero® Proactive Security Platform — Rapid Response

A NodeZero Rapid Response test has been developed to safely validate whether this authentication bypass can be exploited in your environment. The test executes real attack techniques without causing damage, giving teams immediate clarity on exposure.

• Run the Rapid Response test: Launch from the NodeZero platform to determine whether unauthorized VPN access is possible.
• Patch immediately: Apply Check Point’s recommended hotfixes and mitigation guidance for affected Security Gateways.
• Re-run the test: Confirm the vulnerability is no longer exploitable after remediation.

Indicators of Compromise

Check Point also reported additional malicious infrastructure identified between June 9 and June 11, 2026.

Affected versions & patch

Affected

Check Point lists the following as affected:

• Mobile Access / SSL VPN deployments
• Remote Access VPN deployments
• Spark Firewall deployments
• R80.20.X (End of Support)
• R80.40 (End of Support)
• R81 (End of Support)
• R81.10 (End of Support)
• R81.10.X
• R81.20
• R82
• R82.00.X
• R82.10

Patch

• Update all affected Security Gateways using Check Point’s released hotfixes.
• Follow Check Point’s alternative remote-access mitigation guidance if immediate patching is not possible.
• Prioritize systems exposing IKEv1-based Remote Access VPN services to the Internet.

Timeline

• May 7, 2026 — Check Point reports exploitation activity begins.
• Early June 2026 — Exploitation activity increases against vulnerable deployments.
• June 8, 2026 — Check Point publishes its security advisory and mitigation guidance.
• June 9–11, 2026 — Check Point publishes additional suspicious IP infrastructure associated with observed attacks.

References

• Check Point Security Advisory and Hotfix Information
• NVD CVE-2026-50751
• SecurityWeek Coverage
• The Hacker News Coverage