Check Point is warning customers to immediately review and patch vulnerable VPN deployments after researchers identified active exploitation of a critical authentication bypass vulnerability and linked at least one post-compromise intrusion to a Qilin ransomware affiliate.
The vulnerability, tracked as CVE-2026-50751, affects Check Point Remote Access VPN and Mobile Access deployments configured to use the deprecated Internet Key Exchange version 1 (IKEv1) protocol. According to Check Point Research, attackers have been exploiting the flaw since at least early May.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has since added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, signaling confirmed real-world exploitation and requiring federal agencies to address affected systems.
Authentication bypass flaw enables VPN access
Check Point said the vulnerability stems from a logic flaw in certificate validation that can allow attackers to establish a VPN session without requiring a valid password.
The company began investigating after detecting suspicious activity and traced exploitation attempts back to May 4. Researchers identified several dozen targeted organizations worldwide during the investigation.
Because the vulnerability affects VPN infrastructure, successful exploitation may provide attackers with a direct foothold into enterprise environments, potentially enabling lateral movement, credential theft, and additional malicious activity.
Qilin-linked activity observed after compromise
While Check Point did not attribute exploitation of the vulnerability itself to a specific threat actor, researchers reported that post-compromise activity in at least one case was linked to a Qilin ransomware affiliate.
The same infrastructure involved in the campaign was also reportedly observed targeting VPN vulnerabilities affecting Palo Alto Networks, Fortinet, and F5 devices.
The findings highlight how ransomware operators and their affiliates continue to capitalize on newly disclosed perimeter security vulnerabilities to gain initial access to victim environments.
Second vulnerability disclosed during investigation
During its investigation, Check Point researchers identified a second vulnerability, tracked as CVE-2026-50752, which also affects certificate validation within deprecated IKEv1 implementations.
The flaw could potentially enable man-in-the-middle attacks against site-to-site VPN communications under specific conditions. However, Check Point said it has not observed active exploitation of the second vulnerability.
Organizations urged to review VPN deployments
Check Point has released hotfixes, mitigation guidance, and additional recommendations for affected customers. Security teams are being urged to identify systems using IKEv1, apply available updates, and conduct forensic reviews of authentication and VPN access logs.
Rapid7 researchers have also reported observing exploitation involving the vulnerability, further supporting concerns that attackers are actively targeting vulnerable deployments.
Researchers noted that several affected product branches have already reached end-of-support status, meaning some organizations may need to upgrade to supported versions before security updates can be applied.
As threat actors increasingly focus on internet-facing infrastructure, VPN appliances remain among the highest-priority systems for vulnerability management and monitoring.
BreachNews will continue monitoring reports of exploitation and any additional threat activity linked to the campaign.
