Full Report
CISA has ordered U.S. government agencies to secure their Check Point Remote Access VPN and Mobile Access deployments against a critical vulnerability exploited in zero-day attacks by Qilin ransomware affiliates. [...]
Analysis Summary
# Vulnerability: Check Point VPN Authentication Bypass
## CVE Details
- **CVE ID:** CVE-2026-50751
- **CVSS Score:** Critical (Exact score pending, but categorized as critical by CISA/Check Point)
- **CWE:** Not specified (Categorized as an Authentication Bypass)
## Affected Systems
- **Products:** Check Point Remote Access VPN, Mobile Access Software Blades, and Spark Firewalls.
- **Versions:** Quantum Security Gateway (all versions), Spark Gateways.
- **Configurations:** Systems are vulnerable **only** if they meet all the following conditions:
- Configured to use the legacy/deprecated **IKEv1** key exchange protocol.
- Accept legacy Remote Access clients.
- Do **not** require a machine certificate for connection.
## Vulnerability Description
CVE-2026-50751 is an authentication bypass vulnerability. An unauthenticated remote attacker can exploit this flaw to establish a remote access VPN connection without valid credentials. This effectively allows the attacker to gain unauthorized access to the internal network via the Mobile Access/SSL VPN or Remote Access VPN portals.
## Exploitation
- **Status:** Exploited in the wild (Zero-day).
- **Complexity:** Low (Targeting legacy configurations).
- **Attack Vector:** Network.
- **Known Actors:** Qilin Ransomware affiliates.
## Impact
- **Confidentiality:** High (Full network access).
- **Integrity:** High (Ability to modify internal resources/deploy ransomware).
- **Availability:** High (Ransomware encryption/system compromise).
## Remediation
### Patches
- Check Point has released security updates for all impacted versions. Customers are urged to apply the latest Hotfix via the Check Point Support Center.
### Workarounds
If patching is not immediate, implement the following:
1. **Switch to IKEv2:** Configure Global Properties for Remote Access VPN Authentication to use **IKEv2 only**.
2. **Enforce Machine Certificates:** Configure Machine Certificate Authentication as a mandatory requirement.
3. **Disable Legacy Clients:** Remove support for legacy remote access clients in the gateway settings.
4. **IPS Signatures:** Enable IPS (Intrusion Prevention System) and download the latest signatures released for this CVE.
## Detection
- **Indicators of Compromise:** Monitor for unauthorized VPN connections originating from unusual IP addresses without corresponding valid user logs.
- **Manual Check:** Review logs for usage of the IKEv1 protocol and legacy client logins.
- **Check Point Tools:** Utilize the vendor-provided scripts or management dashboard to identify gateways running vulnerable configurations.
## References
- **Vendor Advisory:** hXXps://support[.]checkpoint[.]com/results/sk/sk185033
- **CISA KEV Catalog:** hXXps://www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- **News Coverage:** hXXps://www[.]bleepingcomputer[.]com/news/security/cisa-orders-feds-to-patch-check-point-flaw-exploited-by-ransomware-gangs/