Check Point VPN 0-day Vulnerability: What Happened?
The Check Point VPN 0-day vulnerability, tracked as CVE-2026-50751, is making headlines in the cybersecurity community. This critical flaw allows attackers to bypass authentication on Check Point Remote Access VPNs, enabling them to gain unauthorised access to internal systems. Notably, threat actors have been observed exploiting this vulnerability in the wild to deploy Qilin ransomware. The vulnerability affects devices running on Mobile Access / SSL VPN, Remote Access VPN, and Spark Firewall products, spanning versions R80.20.X through R82.10.
Check Point Research first detected signs of exploitation on 4 June 2026, but analysis traced the earliest attacks back to 7 May 2026. Attackers target VPNs configured with the deprecated IKEv1 protocol, taking advantage of a logic flaw in the certificate validation process. This permits remote, unauthenticated attackers to establish VPN sessions without any valid user passwords.
Why the Check Point VPN 0-day Vulnerability Matters
The Check Point VPN 0-day vulnerability has a CVSS severity rating of 9.3, marking it as critical. Successful exploitation means attackers can bypass all authentication checks and obtain remote access to corporate networks. While gaining this initial access is significant, attackers often need to perform further steps to escalate privileges or reach sensitive resources.
Potential Impact on Organisations
- Deployment of ransomware, specifically the Qilin ransomware, leading to potential data encryption and extortion.
- Possibility of data theft or disruption of operations.
- Risk of attackers using compromised devices as a foothold for lateral movement within the network.
Check Point’s investigation suggests the threat actor is financially motivated and uses the Tox protocol for command-and-control communication—a common tactic among ransomware groups. Furthermore, the infrastructure used by the attackers correlates geographically with victims, indicating a targeted approach.
Related Vulnerability: CVE-2026-50752
During their investigation, Check Point also uncovered CVE-2026-50752, a related vulnerability affecting the same IKEv1 key exchange protocol. This flaw enables man-in-the-middle (MitM) interference on site-to-site VPN communication under certain circumstances. Although not yet observed in active attacks, it carries a high risk and underscores the urgency of addressing IKEv1 vulnerabilities.
Indicators of Compromise (IOCs) Associated with the Attack
Organisations should look out for known indicators of compromise related to the Check Point VPN 0-day vulnerability, including suspicious network activity and file hashes. The following IOCs have been linked to these attacks:
Malicious IP addresses
- 45.77.149[.]152
- 209.182.225[.]136
- 38.60.157[.]139
- 162.33.177[.]101
- 45.76.26[.]42
- 144.208.127[.]155
- 38.54.88[.]201
- 38.54.107[.]167
- 66.42.99[.]200
File Hashes (MD5)
- 52fda5c1b9704544f32ee98d9060e689
- 51d39aa39478beeac94f2d12f682ecce
How Organisations Should Respond to the Check Point VPN 0-day
Given the active exploitation of the Check Point VPN 0-day vulnerability, organisations must act swiftly to reduce risk. The following actions are strongly recommended:
- Apply Check Point hotfixes: Ensure all affected Check Point VPN and firewall devices are updated with the latest security patches and hotfixes, especially those related to IKEv1 vulnerabilities.
- Disable IKEv1 protocol: Where possible, disable the deprecated IKEv1 protocol and migrate to newer, more secure alternatives.
- Audit VPN and gateway logs: Review VPN and firewall logs for signs of suspicious activity dating back to at least 7 May 2026. Look for evidence of unusual logins, session establishments, or access attempts from the IOCs listed above.
- Rotate credentials: Change VPN user credentials, especially for any accounts that may have been exposed or used during the compromise window.
- Block known IOCs: Update network defences to block traffic from malicious IP addresses and monitor for the identified file hashes within your environment.
Additionally, organisations should monitor for emerging threat intelligence, as attackers are known to exploit similar vulnerabilities in other VPN solutions, including those from Palo Alto, Fortinet, and F5. Collaboration with incident response teams and external cybersecurity experts can help ensure a thorough investigation and remediation process.
Long-term Security Improvements
- Review and update remote access policies regularly.
- Implement multi-factor authentication (MFA) for all VPN access where feasible.
- Conduct regular vulnerability assessments and patch management.
- Ensure all deprecated protocols (such as IKEv1) are identified and replaced across the environment.
By taking these steps, organisations can strengthen their defences against current and future VPN-targeted attacks.
Originally reported by cybersecuritynews.com.
