Full Report
Multiple vulnerabilities have been discovered in Check Point products the most severe of which could allow for authentication bypass.Check Point VPN Remote Access provides remote and mobile employees with secure, encrypted connections to corporate networks.Check Point Mobile Access enables secure remote access to enterprise applications through client-based or clientless solutions.Check Point Spark Firewall is an enterprise-grade security gateway providing all-in-one threat prevention.Successful exploitation of the most severe of these vulnerabilities could allow an unauthenticated remote attacker to bypass authentication and gain unauthorized access to network resources. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Analysis Summary
# Vulnerability: Check Point Authentication Bypass and Certificate Validation Flaws
## CVE Details
- **CVE ID**: CVE-2026-50751, CVE-2026-50752
- **CVSS Score**: Not explicitly provided (Categorized as Critical/High severity due to Auth Bypass)
- **CWE**: Improper Authentication / Logic Flow Weakness
## Affected Systems
- **Products**: Check Point VPN Remote Access, Mobile Access, and Spark Firewalls.
- **Versions**:
- **Security Gateways**: R82.10 (Jumbo Hotfix Take 19 or below); R82 (Jumbo Hotfix Take 103 or below); R81.20 (Jumbo Hotfix Take 141 or below); R81.10, R81, and R80.40 (End of Support).
- **Spark Firewalls**: R81.10.X; R82.00.X; R80.20.X (End of Support).
- **Configurations**:
- Vulnerable if **IKEv1** is enabled.
- Remote Access / Mobile Access enabled (CVE-2026-50751).
- Site-to-site VPN communities using certificate-based authentication (CVE-2026-50752).
## Vulnerability Description
- **CVE-2026-50751**: A logic flow weakness in certificate validation during deprecated IKEv1 key exchanges. An unauthenticated attacker can bypass the user password requirement to establish a VPN connection.
- **CVE-2026-50752**: A certificate validation weakness in IKEv1 allows a Man-in-the-Middle (MitM) attacker to bypass validation in site-to-site tunnels, enabling interception or modification of encrypted traffic.
## Exploitation
- **Status**: **Exploited in the wild**. CVE-2026-50751 has been linked to limited targeted attacks, including activity from the **Qilin ransomware** group.
- **Complexity**: Low
- **Attack Vector**: Network
## Impact
- **Confidentiality**: High (Unauthorized access to network resources/data interception)
- **Integrity**: High (Ability to modify data, install programs, or create new accounts)
- **Availability**: High (Potential for ransomware or system modification)
## Remediation
### Patches
Apply the following Jumbo Hotfixes or higher:
- **R82.10**: Take 20+
- **R82**: Take 104+
- **R81.20**: Take 142+
- Users on EOS versions (R81.10, R81, R80.40) must upgrade to a supported version immediately.
### Workarounds
- **Disable IKEv1**: Switch to IKEv2 for all VPN connections.
- **Enforce Machine Certificates**: Configure gateways to demand a valid machine certificate for all remote access connections.
- **MFA**: Ensure Multi-Factor Authentication is enforced where possible (though logic bypass may affect some implementations).
## Detection
- **Indicators of Compromise**: Monitor logs for VPN connections established via IKEv1 without accompanying password authentication events.
- **Detection methods**: Audit Check Point logs for IKEv1 usage and cross-reference with known malicious IPs. Review account creation logs and administrative changes on the gateway.
## References
- **Vendor advisories**:
- hxxps://support[.]checkpoint[.]com/results/sk/sk185035
- hxxps://support[.]checkpoint[.]com/results/sk/sk185033
- **CVE Links**:
- hxxps://cve[.]mitre[.]org/cgi-bin/cvename[.]cgi?name=CVE-2026-50751
- hxxps://cve[.]mitre[.]org/cgi-bin/cvename[.]cgi?name=CVE-2026-50752