Full Report
Scumbags, including a Qilin ransomware affiliate, began hitting this hole May 7
Analysis Summary
# Vulnerability: Check Point VPN Authentication Bypass and MitM Flaws
## CVE Details
- **CVE ID:** CVE-2026-50751, CVE-2026-50752
- **CVSS Score:** Critical (Specific numerical score not provided in text, but categorized as "Critical Authentication Bypass")
- **CWE:** Weakness in logic-flow / Certificate validation logic
## Affected Systems
- **Products:** Check Point Remote Access VPN, Mobile Access Software Blades, Security Gateways, and Spark Firewalls.
- **Versions:** Multiple versions using deprecated IKEv1; specific hotfixes are available for supported releases.
- **Configurations:** Systems configured to use the **deprecated IKEv1 key exchange protocol** for VPN connections and those utilizing certificate-based authentication.
## Vulnerability Description
- **CVE-2026-50751:** A logic-flow weakness in the certificate validation process for Remote Access and Mobile Access VPNs. This flaw allows a remote attacker to bypass authentication entirely, establishing a VPN connection without requiring a user password.
- **CVE-2026-50752:** A flaw in the certificate validation logic specific to the deprecated IKEv1 key exchange method within Security Gateways and Spark Firewalls. This vulnerability can lead to Man-in-the-Middle (MitM) attacks on VPN site-to-site configurations.
## Exploitation
- **Status:**
- **CVE-2026-50751:** Exploited in the wild (Zero-day). Attacks began May 7, 2026. Attributed to actors including a Qilin ransomware affiliate.
- **CVE-2026-50752:** Not known to be exploited in the wild.
- **Complexity:** Low (Authentication bypass via protocol weakness)
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Full access to internal network resources)
- **Integrity:** High (Unauthorized access allows for data manipulation/lateral movement)
- **Availability:** High (Potential for ransomware deployment)
## Remediation
### Patches
- Check Point has released emergency **hotfixes** for all affected products. Customers are urged to apply these immediately via the Check Point Support Center.
### Workarounds
- Disable the use of the deprecated IKEv1 protocol.
- Move to IKEv2 for all VPN and site-to-site configurations.
- Implement alternative mitigations as outlined in the vendor security advisories (sk185033/sk185035).
## Detection
- **Indicators of Compromise:** Check Point has published a list of attacker IPs and specific certificate subject names used in the campaign.
- **Detection Methods:**
- Search **SmartConsole logs** for VPN certificate authentication attempts dating back to at least May 7, 2026.
- Inspect logs for unusual post-compromise activity associated with ransomware affiliates (lateral movement, credential dumping).
## References
- **Vendor Advisories:**
- hXXps[://]support[.]checkpoint[.]com/results/sk/sk185033
- hXXps[://]support[.]checkpoint[.]com/results/sk/sk185035
- **Relevant Links:**
- hXXps[://]blog[.]checkpoint[.]com/security/check-point-releases-important-hotfix-for-vulnerabilities-in-deprecated-ikev1-vpn-protocol