THU 02 JUL 2026 · GMT EDITION A WHITESTONE INTELLIGENCE PUBLICATION
MARKETS · CYBER · MEMOS · MODELS
DAILY ISSUES26 MAY27 MAY28 MAY29 MAY30 MAY31 MAY01 JUN02 JUN03 JUN04 JUN05 JUN06 JUN07 JUN08 JUN09 JUN10 JUN11 JUN12 JUN13 JUN14 JUN15 JUN16 JUN17 JUN18 JUN19 JUN21 JUN22 JUN23 JUN24 JUN25 JUN26 JUN27 JUN28 JUN29 JUN30 JUN01 JUN02 JUNALL ›
FRONT PAGE / CYBER / CYB-2026-06-08-F1
CYBER · ransomware threat groups · 2026-06-08SCOOP 74

Qilin affiliate exploited Check Point VPN zero-day since early May; CISA gives agencies three days to patch

Check Point confirmed on June 8 that attackers are exploiting CVE-2026-50751, a critical (CVSS 9.3) authentication bypass in the deprecated IKEv1 key exchange used by its Remote Access VPN, Mobile Access/SSL VPN and Quan.

·FILED ISSUE 2026-06-08·1 MIN READ·RE-VERIFIED 2026-07-02 UTC·✓ RE-VERIFIED 2026-07-02

At a glance

  • Check Point released a hotfix June 8 for CVE-2026-50751, a CVSS 9.3 authentication bypass in deprecated IKEv1 affecting Remote Access VPN, Mobile Access and Quantum Spark (R80.20.x-R82.10)
  • A certificate-validation logic flaw lets attackers establish VPN sessions without a valid user password
  • Exploitation began as early as May 7, 2026 and hit a few dozen organizations globally
  • One confirmed incident showed Qilin ransomware affiliate activity including Rclone exfiltration and Tox communications
  • CISA added the flaw to KEV on June 8 with a three-day FCEB deadline of June 11

VERDICT — CONFIRMED

curated-2src confidence · primary + corroborating sources verified · re-verified 2026-07-02 UTC
Qilin affiliate exploited Check Point VPN zero-day since early May; CISA gives agencies th
Help Net Security

Check Point confirmed on June 8 that attackers are exploiting CVE-2026-50751, a critical (CVSS 9.3) authentication bypass in the deprecated IKEv1 key exchange used by its Remote Access VPN, Mobile Access/SSL VPN and Quantum Spark firewalls, and released an emergency hotfix. The logic flaw in certificate validation allows attackers to establish remote-access VPN sessions without a valid user password on gateway versions R80.20.x through R82.10.

Exploitation began as early as May 7 and intensified in early June, with a few dozen organizations targeted globally as of publication. Help Net Security reported that one confirmed incident involved post-compromise activity consistent with Qilin ransomware operations, including data exfiltration using Rclone and communications over the Tox protocol.

CISA added the flaw to its Known Exploited Vulnerabilities catalog the same day, giving federal civilian agencies just three days — until June 11 — to secure devices, one of its tightest KEV deadlines. Check Point also patched CVE-2026-50752, a related man-in-the-middle weakness (CVSS 7.4) in IKEv1 certificate validation with no observed exploitation, and urged customers to audit logs back to May 7 using guidance in support articles SK185033 and SK185035.

Why it matters

a month-old zero-day in a deprecated VPN protocol feeding directly into Qilin ransomware intrusions explains the three-day federal patch order — edge gateways running legacy crypto are now the fastest route from the internet to an encryption event.

Key facts on file

  • Check Point released a hotfix June 8 for CVE-2026-50751, a CVSS 9.3 authentication bypass in deprecated IKEv1 affecting Remote Access VPN, Mobile Access and Quantum Spark (R80.20.x-R82.10)
  • A certificate-validation logic flaw lets attackers establish VPN sessions without a valid user password
  • Exploitation began as early as May 7, 2026 and hit a few dozen organizations globally
  • One confirmed incident showed Qilin ransomware affiliate activity including Rclone exfiltration and Tox communications
  • CISA added the flaw to KEV on June 8 with a three-day FCEB deadline of June 11

PRIMARY SOURCE

Check Point (official blog)
— (2026-06-08) · fetched at filing · archived at publication

Sources · two-source rule

PRIMARYCheck Point (official blog)— (2026-06-08)
CORROB.Help Net Security— (2026-06-08)
CORROB.Rapid7— (2026-06-08)
Share
Filed by the Cyber desk · verified by the verification desk · re-verified 2026-07-02 · Our standards: the two-source rule ›
CITE THIS FILE — The Dossier Wire · cyb-2026-06-08-f1 · filed 2026-06-08 · https://thedwire.com/wire/cyb-2026-06-08-f1-qilin-affiliate-exploited-check-point-vpn-zero-day-since.html · Primary and corroborating sources listed above; archived at publication. Republishing & licensing: hello@thedwire.com.
More from Cyber FULL DESK ›
ShinyHunters Dumps 234 GB From DentaQuest, Exposing PII/PHI of ~2.6 Million in &
Security Affairs
CYBER · SCOOP 64

ShinyHunters Dumps 234 GB From DentaQuest, Exposing PII/PHI of ~2.6 Million in 'Pay-or-Leak' Extortion

The extortion group ShinyHunters published approximately 234 GB of data stolen from dental-benefits administrator DentaQuest, a subsidiary of Sun Life Financial, in a 'pay-or-leak' scheme, impacting roughly 2.6 million individuals. ShinyHunters posted DentaQuest to its Tor leak site in May 2026 and released the data after negotiations rep

✓ verified
READ THE FILE ›
CISA orders agencies to patch SolarWinds Serv-U flaw being exploited to crash fi
Cybersecurity News
CYBER · SCOOP 56

CISA orders agencies to patch SolarWinds Serv-U flaw being exploited to crash file-transfer servers

CISA added CVE-2026-28318, a SolarWinds Serv-U denial-of-service flaw under active exploitation, to its Known Exploited Vulnerabilities catalog late Friday, ordering federal civilian agencies to remediate by June 19 under Binding Operational Directive 22-01 as coverage spread through the weekend. The uncontrolled resource consumption bug

✓ verifiednewSOURCE ↗
READ THE FILE ›
Cisco discloses 7th SD-WAN zero-day of 2026 (CVE-2026-20245) exploited for root
CYBER · SCOOP 82

Cisco discloses 7th SD-WAN zero-day of 2026 (CVE-2026-20245) exploited for root on Catalyst SD-WAN Manager; no patch

Cisco disclosed CVE-2026-20245 on June 5, 2026, a privilege-escalation/command-injection zero-day in the command-line interface of Cisco Catalyst SD-WAN Manager, the seventh SD-WAN zero-day Cisco has confirmed exploited in 2026. The flaw stems from insufficient validation of user-supplied input: an authenticated attacker holding 'netadmin

✓ verifiedSOURCE ↗
READ THE FILE ›

The morning wire in your inbox — every brief, primary sources linked, no noise.

Free tier. The Wire — continuous desk briefs · Records archive · Bureau alerts.

Stored to the wire's subscriber list. No spam, unsubscribe any time.