Check Point has declared it fixed a critical vulnerability in its VPN products that has been exploited in ransomware attacks against dozens of organizations worldwide, according to a security advisory published by the company.
The authentication bypass flaw, tracked as CVE-2026-50751 with a CVSS severity score of 9.3/10 (critical), allowed remote threat actors to establish a remote access VPN connection without a valid user password, Check Point reported.
Attack Timeline and Scale
Check Point's VP of Research, Lotem Finkelstein, noted that attacks leveraging this bug started on May 7, 2026 – more than a month before the advisory. In early June, the attacks escalated in volume, drawing the company's attention, and on June 4 Check Point realized it was an actively exploited zero-day.
Finkelstein attempted to contextualize the attacks as relatively low volume: "We have observed indications that exploitation has been limited to a relatively small number of targeted organizations (several dozen globally), primarily over the past few days." He added that in at least one case, the compromise was used to deploy Qilin ransomware.
| Vulnerability Detail | Value |
|---|---|
| CVE ID | CVE-2026-50751 |
| Severity Score | 9.3 (Critical) |
| Flaw Type | Authentication bypass |
| Impact | Remote VPN access without valid password |
| Affected Products | Mobile Access/SSL VPNs, Remote Access VPNs, Spark Firewalls with deprecated IKEv1 |
| Attack Start Date | May 7, 2026 |
| Exploitation Confirmed | June 4, 2026 |
Qilin Ransomware and Infrastructure Targets
Qilin is a major ransomware player that frequently targets critical infrastructure providers. In February 2026, the group added the Transport Workers Union of America (TWU) Local 100 chapter to its data leak site, claiming it had exfiltrated and leaked all stolen data onto the dark web, according to previous reports cited in the advisory.
The bug affects Mobile Access/SSL VPNs, Remote Access VPNs, and Spark Firewalls configured to use the deprecated IKEv1 key exchange protocol. Check Point's advisory did not disclose the identities or industries of the victims, but the group's history suggests critical infrastructure sectors are at elevated risk.
Mitigation and Response
Check Point urged its customers to apply the provided fixes and to deploy mitigations and other hardening methods as soon as possible. A full list of indicators of compromise (IoC) has also been made available. The company did not discuss specific victims or attack vectors beyond the authentication bypass.
For enterprise technology decision-makers, especially those in supply chain and logistics that rely on Check Point VPNs for secure remote access, this incident underscores the need for immediate patching. Given Qilin's known targeting of transport unions, logistics companies using Check Point products should prioritize updating affected systems.
Check Point's advisory provides technical details and mitigation steps. Security teams should verify that their Mobile Access/SSL VPN, Remote Access VPN, and Spark Firewall configurations are not using deprecated IKEv1 and are patched against CVE-2026-50751.
Sources:
