Qilin affiliate exploited Check Point VPN zero-day since early May; CISA gives agencies three days to patch
Check Point confirmed on June 8 that attackers are exploiting CVE-2026-50751, a critical (CVSS 9.3) authentication bypass in the deprecated IKEv1 key exchange used by its Remote Access VPN, Mobile Access/SSL VPN and Quan.
At a glance
- Check Point released a hotfix June 8 for CVE-2026-50751, a CVSS 9.3 authentication bypass in deprecated IKEv1 affecting Remote Access VPN, Mobile Access and Quantum Spark (R80.20.x-R82.10)
- A certificate-validation logic flaw lets attackers establish VPN sessions without a valid user password
- Exploitation began as early as May 7, 2026 and hit a few dozen organizations globally
- One confirmed incident showed Qilin ransomware affiliate activity including Rclone exfiltration and Tox communications
- CISA added the flaw to KEV on June 8 with a three-day FCEB deadline of June 11
VERDICT — CONFIRMED
Check Point confirmed on June 8 that attackers are exploiting CVE-2026-50751, a critical (CVSS 9.3) authentication bypass in the deprecated IKEv1 key exchange used by its Remote Access VPN, Mobile Access/SSL VPN and Quantum Spark firewalls, and released an emergency hotfix. The logic flaw in certificate validation allows attackers to establish remote-access VPN sessions without a valid user password on gateway versions R80.20.x through R82.10.
Exploitation began as early as May 7 and intensified in early June, with a few dozen organizations targeted globally as of publication. Help Net Security reported that one confirmed incident involved post-compromise activity consistent with Qilin ransomware operations, including data exfiltration using Rclone and communications over the Tox protocol.
CISA added the flaw to its Known Exploited Vulnerabilities catalog the same day, giving federal civilian agencies just three days — until June 11 — to secure devices, one of its tightest KEV deadlines. Check Point also patched CVE-2026-50752, a related man-in-the-middle weakness (CVSS 7.4) in IKEv1 certificate validation with no observed exploitation, and urged customers to audit logs back to May 7 using guidance in support articles SK185033 and SK185035.
Why it matters
a month-old zero-day in a deprecated VPN protocol feeding directly into Qilin ransomware intrusions explains the three-day federal patch order — edge gateways running legacy crypto are now the fastest route from the internet to an encryption event.
Key facts on file
- Check Point released a hotfix June 8 for CVE-2026-50751, a CVSS 9.3 authentication bypass in deprecated IKEv1 affecting Remote Access VPN, Mobile Access and Quantum Spark (R80.20.x-R82.10)
- A certificate-validation logic flaw lets attackers establish VPN sessions without a valid user password
- Exploitation began as early as May 7, 2026 and hit a few dozen organizations globally
- One confirmed incident showed Qilin ransomware affiliate activity including Rclone exfiltration and Tox communications
- CISA added the flaw to KEV on June 8 with a three-day FCEB deadline of June 11


