Check Point has issued emergency hotfixes for a pair of vulnerabilities affecting VPN deployments that still use the deprecated Internet Key Exchange version 1 (IKEv1) protocol, warning that one of the flaws is already being exploited in the wild.
The more serious issue allows attackers to establish VPN sessions without a valid password, potentially giving them a foothold inside corporate networks. According to the company, attackers have been exploiting the vulnerability since at least early May, with activity accelerating in recent weeks.
“To date, the observed exploitation has been limited to a few dozen targeted organizations globally,” Lotem Finkelstein, vice president of research at Check Point, said in a security blog post. “One case involved confirmed post-compromise activity associated with a Qilin ransomware affiliate.”
The vulnerabilities affect customers using Remote Access VPN, Mobile Access VPN, and certain Spark Firewall products configured for IKEv1.
While the said protocol has been considered legacy technology for years, it remains enabled in some environments for compatibility reasons. Check Point is urging affected customers to apply the newly released hotfixes immediately and, where possible, migrate from IKEv1 to the newer IKEv2 protocol.
The deprecated protocol became an active risk
The exploited bug, tracked as CVE-2026-50571, affects deployments that continue to accept IKEv1-based remote access connections.
According to Check Point, attackers can exploit a logic oversight in how Remote Access and Mobile Access components validate certificates during the authentication process. Exploitation allows an unauthenticated attacker to establish a VPN connection without supplying a valid user password.
While additional steps may be required to access internal resources or escalate privileges, security researchers note that bypassing the VPN login barrier provides attackers with a significant foothold inside targeted environments.
The vulnerability was put under the “Improper Authentication” CWE tagged at CWE-287, with a CVSS score of 9.3 assigned to it. Affected Check Point Quantum software platform versions, which run on the Gaia operating system powering all Check Point products, include R80.20.X (EOS), R80.40 (EOS), R81 (EOS), R81.10 (EOS), R81.10.X, R81.20, R82, R82.00.X, R82.10.
The second vulnerability, CVE-2026-50752, emerged during a broader security review conducted as part of Check Point’s investigation into the improper authentication flaw. Researchers reportedly used the company’s BLAST agentic application security platform to analyze the affected VPN components, leading to the discovery of additional weaknesses in certificate validation logic.
Unlike CVE-2026-50571, the newly identified issue does not allow direct authentication bypass. Instead, it could enable a man-in-the-middle attacker to interfere with site-to-site VPN communications if specific conditions are met.
This flaw received a CVSS score of 7.4, with no exploitation attempts observed in the wild yet.
Mitigations and patches issued
Affected organizations have received a set of resolutions to help with the problem, starting with an attack detection technique.
“Search your Check Point SmartConsole logs for possible VPN certificate authentication attempts associated with the observed attacker infrastructure and certificate subject names,” Check Point said in an advisory that shared SmartConsole queries for scans around the time range, attacker IP address, and VPN/IKE activities.
Additionally, the company listed three mitigation tips for protection outside and beyond patches. These include removing support for legacy Remote Access client connections, configuring Global properties for Remote Access VPN authentication to IKEv2 only, and setting the machine certificate authentication as mandatory. Lastly, and most effectively, the company issued a string of downloadable hotfixes corresponding to each affected version, which customers can download and apply for complete and immediate protection.
No Responses