Check Point VPN Zero-Day Exploited by Qilin Ransomware — CISA Orders Federal Patch by June 11

Check Point Research confirmed on June 8 that a zero-day vulnerability in its Remote Access VPN products — tracked as CVE-2026-50751 — is under active exploitation, with at least one confirmed case linked to a Qilin ransomware affiliate. The US Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog the same day and issued a binding directive requiring US federal agencies to apply the available hotfix by June 11 — a 72-hour window that reflects the severity of the threat.

The vulnerability is an authentication bypass affecting Check Point Remote Access VPN, Mobile Access, and Spark Firewall deployments configured to use the deprecated IKEv1 key exchange protocol. An attacker exploiting the flaw can establish a fully authenticated VPN session without possessing a valid user password by exploiting a logic error in the certificate validation process. The connection succeeds at the VPN layer; additional post-connection exploitation is required to reach internal systems, but the initial bypass removes what should be the first hard wall against unauthorized access.

Timeline and Scope

Check Point says it first detected suspicious activity on June 4, 2026, but forensic evidence suggests initial exploitation began as early as May 7. Active exploitation escalated through early June as threat actors recognized the window between discovery and public disclosure. As of the June 8 advisory, exploitation has been confirmed at a few dozen organizations globally. Only one incident has been definitively attributed to post-compromise activity by a Qilin ransomware affiliate — but given Qilin's operational tempo and the low barrier to exploitation, that number is likely to climb.

Qilin is a ransomware-as-a-service operation that has been active since at least 2022 and significantly increased its attack cadence in 2025-2026. The group is known for double extortion — encrypting files while also exfiltrating data for leverage in ransom negotiations. Their affiliates regularly target VPN and remote access infrastructure as an initial access vector, making CVE-2026-50751 a natural fit for their playbook.

A Second Vulnerability Found in the Same Code Path

During its investigation of CVE-2026-50751, Check Point's research team used its BLAST agentic code security platform to conduct an extended audit of the affected VPN components. That review surfaced a second vulnerability: CVE-2026-50752, rated CVSS 7.4. This flaw also resides in the deprecated IKEv1 certificate validation code path and could enable a man-in-the-middle attacker to interfere with site-to-site VPN communications under specific configurations. Check Point has not observed active exploitation of CVE-2026-50752, but has patched it proactively in the same hotfix package.

The IKEv1 protocol was deprecated by the IETF in favor of IKEv2 years ago, and its presence as the root cause of both vulnerabilities underscores a recurring pattern in enterprise security: deprecated protocol support maintained for backward compatibility becomes a durable attack surface. Organizations that have disabled IKEv1 in their Check Point environments are not affected by either CVE.

Affected Products and Hotfixes

The vulnerability affects Check Point products configured with Remote Access VPN or Mobile Access that accept IKEv1 connections or accept legacy Remote Access clients without requiring a machine certificate. Check Point has released hotfixes for all supported product lines. BleepingComputer and SecurityWeek report that the company has also provided mitigations for organizations unable to immediately apply the patch — primarily disabling legacy client acceptance and IKEv1 in the VPN gateway configuration.

Administrators should treat this as an emergency patch, not a scheduled maintenance item. The public availability of a CISA KEV entry and the confirmed ransomware connection mean exploit code is likely to be more broadly shared in threat actor communities within days. Organizations with internet-facing Check Point VPN infrastructure that have not yet applied the hotfix should do so before the weekend.