Your Check Point VPN has a zero-day. Qilin ransomware is already using it.
Your Check Point VPN has a zero-day. Qilin ransomware is already using it.
The vulnerability requires no stolen credentials, no phishing, no user interaction. It requires only that your VPN still supports a protocol from 2005.
CVE-2026-50751, disclosed on June 8, is an authentication bypass in Check Point Remote Access VPN and Mobile Access. The root cause: a logic flaw in certificate validation when the deprecated IKEv1 key exchange protocol is enabled. An unauthenticated attacker can establish a full VPN tunnel â no password, no valid certificate. A second vulnerability, CVE-2026-50752, was found during investigation and can enable man-in-the-middle interference on site-to-site VPN connections using the same legacy protocol. Both affect Spark firewalls â Check Point’s product line for small and mid-size businesses and managed service providers. Exploitation began May 7, surged in early June, and at least one confirmed incident ended with Qilin ransomware deployed and Rclone used to exfiltrate data.
The risk is not the CVE score. It is the fix process. A hotfix is available â but full protection requires six manual configuration steps: switching VPN authentication to IKEv2 only, requiring machine certificates, and enabling IPS. None of these are part of the standard firmware update. Your firewall dashboard will show “up to date” while the attack path remains open. This is the same pattern as SonicWall Gen6 in May.
If you own this, do this: Open Check Point Global Properties, go to VPN, Remote Access, and confirm IKEv2 only is enforced. Set Machine Certificate Authentication as mandatory for all remote access connections. Enable IPS on VPN-facing interfaces and apply the hotfix from Check Point’s security advisory.
Links for a deeper technical dive are in the comments.
For those who want a deeper dive into this topic:
