Check Point Security Gateway Improper Authentication Vulnerability (CVE-2026-50751)

Severity Assessment

• Exploitability: 9/10 — CISA KEV status and Check Point’s advisory confirm active exploitation; the CVSS vector indicates network attack, low complexity, no privileges, and no user interaction.
• Impact: 8/10 — Successful exploitation can establish a VPN session without a valid user password, exposing remote access paths that normally sit behind authentication.
• Weaponization Risk: 8/10 — The affected surface is remote access infrastructure, and Check Point reported exploitation attempts increasing in early June 2026.
• Patch Urgency: 10/10 — CISA added the flaw to KEV on 2026-06-08 with a 2026-06-11 remediation deadline.
• Detection Coverage: 6/10 — Defenders can review VPN, Mobile Access, and gateway telemetry, but authentication bypass activity may not look like a normal failed-login sequence.

Summary

CVE-2026-50751 is an improper authentication vulnerability in Check Point Security Gateway remote access deployments that use the deprecated IKEv1 key exchange protocol. CISA describes the issue as an IKEv1 improper authentication flaw that can allow an unauthenticated remote attacker to bypass user authentication and establish a remote access VPN connection without a valid user password.

Check Point says the vulnerability affects Remote Access VPN and Mobile Access deployments configured to use deprecated IKEv1. The vendor attributes the issue to a logic flow weakness in certificate validation and states that active exploitation has been observed in the wild. NVD assigns CVSS 3.1 score 9.3 critical and maps the weakness to CWE-287.

Check Point also reported that observed exploitation had affected a few dozen targeted organizations globally as of its advisory. One observed case involved post-compromise activity associated with a Qilin ransomware affiliate, but the public sources do not establish a broader confirmed campaign relationship for every exploitation attempt.

Exploit Chain

Stage 1: Identify exposed IKEv1 remote access configuration

An attacker targets a Check Point Remote Access VPN or Mobile Access deployment configured to use the deprecated IKEv1 key exchange protocol. Check Point lists affected product families including Mobile Access / SSL VPN, Remote Access VPN, and Spark Firewall across several software trains.

Stage 2: Abuse certificate validation logic

The attacker exploits the logic flow weakness in Remote Access and Mobile Access certificate validation. CISA and NVD both describe the result as user authentication bypass without a valid user password.

Stage 3: Establish unauthorized VPN connectivity

Successful exploitation can establish a remote access VPN connection. Check Point notes that additional post-authentication activity is required to access internal resources or escalate privileges, so the vulnerability should be treated as an initial access enabler rather than proof of full internal compromise by itself.

Detection Guidance

1. Identify Check Point Remote Access VPN, Mobile Access, SSL VPN, and Spark Firewall deployments that still allow IKEv1.
2. Review VPN session creation logs for successful sessions that lack expected authentication context, device posture, or user-password validation signals.
3. Hunt from at least 2026-05-07, the earliest exploitation date referenced in Check Point’s public timeline.
4. Correlate new VPN sessions with internal resource access, privilege changes, command execution, or unusual file-transfer activity after the session is established.
5. Monitor for the infrastructure indicators published by Check Point, while treating them as time-sensitive indicators that may change quickly.
6. Apply the Check Point hotfix or disable/migrate deprecated IKEv1 remote access configurations according to vendor guidance.

Indicators of Compromise

Check Point published the following indicators in its advisory. They should be used as investigative leads, not as complete detection coverage.

• 45.77.149[.]152
• 209.182.225[.]136
• 38.60.157[.]139
• 162.33.177[.]101
• 45.76.26[.]42
• 144.208.127[.]155
• 38.54.88[.]201
• 38.54.107[.]167
• 66.42.99[.]200
• 52fda5c1b9704544f32ee98d9060e689
• 51d39aa39478beeac94f2d12f682ecce

Disclosure Timeline

• 2026-05-07: Earliest referenced exploitation window Check Point advised incident response teams to review forensic logs and configurations beginning from the earliest observed exploitation date of 2026-05-07.
• 2026-06-04: Check Point investigation begins Check Point stated that suspicious activity on 2026-06-04 led to an investigation into the affected VPN components.
• 2026-06-08: Public disclosure and KEV addition Check Point published its advisory and hotfix guidance. NVD published CVE-2026-50751, and CISA added the vulnerability to the Known Exploited Vulnerabilities catalog.
• 2026-06-11: CISA remediation deadline CISA lists 2026-06-11 as the required action deadline for applicable federal civilian executive branch systems.

Sources & References

• Cybersecurity and Infrastructure Security Agency: Known Exploited Vulnerabilities Catalog — Cybersecurity and Infrastructure Security Agency, 2026-06-08
• National Vulnerability Database: CVE-2026-50751 — National Vulnerability Database, 2026-06-08
• Check Point Blog: Security Advisory - Active Exploitation of Check Point VPN Authentication Bypass — Check Point Blog, 2026-06-08
• Check Point Support: sk185033 — Check Point Support, 2026-06-08