{"id":8429,"date":"2026-06-09T11:59:17","date_gmt":"2026-06-09T11:59:17","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8429"},"modified":"2026-06-09T11:59:17","modified_gmt":"2026-06-09T11:59:17","slug":"check-point-warns-of-ransomware-linked-attacks-exploiting-outdated-vpn-protocol","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8429","title":{"rendered":"Check Point warns of ransomware-linked attacks exploiting outdated VPN protocol"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Check Point has issued emergency hotfixes for a pair of vulnerabilities affecting VPN deployments that still use the deprecated Internet Key Exchange version 1 (IKEv1) protocol, warning that one of the flaws is already being exploited in the wild.<\/p>\n<p>The more serious issue allows attackers to establish VPN sessions without a valid password, potentially giving them a foothold inside corporate networks. According to the company, attackers have been exploiting the vulnerability since at least early May, with activity accelerating in recent weeks.<\/p>\n<p>\u201cTo date, the observed exploitation has been limited to a few dozen targeted organizations globally,\u201d Lotem Finkelstein, vice president of research at Check Point, said in a security blog <a href=\"https:\/\/blog.checkpoint.com\/security\/check-point-releases-important-hotfix-for-vulnerabilities-in-deprecated-ikev1-vpn-protocol\/\" target=\"_blank\" rel=\"noopener\">post<\/a>. \u201cOne case involved confirmed post-compromise activity associated with a Qilin ransomware affiliate.\u201d<\/p>\n<p>The vulnerabilities affect customers using Remote Access VPN, Mobile Access VPN, and certain Spark Firewall products configured for <a href=\"https:\/\/www.csoonline.com\/article\/569623\/optimizing-vpns-for-security-5-key-tasks.html?utm=hybrid_search#:~:text=IKEv2%2C%20since%20the-,IKEv1,-implementation%20only%20supports\">IKEv1<\/a>.<\/p>\n<p>While the said protocol has been considered legacy technology for years, it remains enabled in some environments for compatibility reasons. Check Point is urging affected customers to apply the newly released hotfixes immediately and, where possible, migrate from IKEv1 to the newer IKEv2 protocol.<\/p>\n<h2 class=\"wp-block-heading\">The deprecated protocol became an active risk<\/h2>\n<p>The exploited bug, tracked as CVE-2026-50571, affects deployments that continue to accept IKEv1-based remote access connections.<\/p>\n<p>According to Check Point, attackers can exploit a logic oversight in how Remote Access and Mobile Access components validate certificates during the authentication process. Exploitation allows an unauthenticated attacker to establish a VPN connection without supplying a valid user password.<\/p>\n<p>While additional steps may be required to access internal resources or escalate privileges, security researchers note that bypassing the VPN login barrier provides attackers with a significant foothold inside targeted environments.<\/p>\n<p>The vulnerability was put under the \u201cImproper Authentication\u201d CWE tagged at CWE-287, with a CVSS score of 9.3 assigned to it. Affected Check Point Quantum software platform versions, which run on the Gaia operating system powering all Check Point products, include R80.20.X (EOS), R80.40 (EOS), R81 (EOS), R81.10 (EOS), R81.10.X, R81.20, R82, R82.00.X, R82.10.<\/p>\n<p>The second vulnerability, <a href=\"https:\/\/support.checkpoint.com\/results\/sk\/sk185035\" target=\"_blank\" rel=\"noopener\">CVE-2026-50752<\/a>, emerged during a broader security review conducted as part of Check Point\u2019s investigation into the improper authentication flaw. Researchers reportedly used the company\u2019s BLAST agentic application security platform to analyze the affected VPN components, leading to the discovery of additional weaknesses in certificate validation logic.<\/p>\n<p>Unlike CVE-2026-50571, the newly identified issue does not allow direct authentication bypass. Instead, it could enable a <a href=\"https:\/\/www.csoonline.com\/article\/566905\/man-in-the-middle-attack-definition-and-examples.html\">man-in-the-middle<\/a> attacker to interfere with site-to-site VPN communications if specific conditions are met.<\/p>\n<p>This flaw received a CVSS score of 7.4, with no exploitation attempts observed in the wild yet.<\/p>\n<h2 class=\"wp-block-heading\">Mitigations and patches issued<\/h2>\n<p>Affected organizations have received a set of resolutions to help with the problem, starting with an attack detection technique.<\/p>\n<p>\u201cSearch your Check Point SmartConsole logs for possible VPN certificate authentication attempts associated with the observed attacker infrastructure and certificate subject names,\u201d Check Point said in an <a href=\"https:\/\/support.checkpoint.com\/results\/sk\/sk185033\">advisory<\/a> that shared SmartConsole queries for scans around the time range, attacker IP address, and VPN\/IKE activities.<\/p>\n<p>Additionally, the company listed three mitigation tips for protection outside and beyond patches. These include removing support for legacy Remote Access client connections, configuring Global properties for Remote Access VPN authentication to IKEv2 only, and setting the machine certificate authentication as mandatory. Lastly, and most effectively, the company issued a string of downloadable hotfixes corresponding to each affected version, which customers can download and apply for complete and immediate protection.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Check Point has issued emergency hotfixes for a pair of vulnerabilities affecting VPN deployments that still use the deprecated Internet Key Exchange version 1 (IKEv1) protocol, warning that one of the flaws is already being exploited in the wild. The more serious issue allows attackers to establish VPN sessions without a valid password, potentially giving [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":8430,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8429","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8429"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8429"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8429\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8430"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8429"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8429"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8429"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}