CISA gives federal agencies 3 days to patch Check Point VPN zero-day tied to Qilin ransomware
CISA ordered all Federal Civilian Executive Branch agencies to remediate CVE-2026-50751, a critical authentication bypass in Check Point Remote Access VPN, Mobile Access/SSL VPN and Spark gateways, by end of day June 11 .
At a glance
- CISA added CVE-2026-50751 (CVSS 9.3) to the KEV catalog on June 8, 2026 with a June 11, 2026 remediation deadline for federal civilian agencies
- The authentication bypass affects Check Point Remote Access VPN, Mobile Access/SSL VPN and Spark gateways using the deprecated IKEv1 protocol
- Check Point released hotfixes June 8, 2026 and linked at least one intrusion to a Qilin ransomware affiliate
- Exploitation began May 7, 2026, surged in early June; 'a few dozen' organizations compromised globally
- Qilin has claimed more than 400 victims since August 2022; ZeroFox counted 15 new Qilin victims across nine countries June 2-5, 2026
VERDICT — CONFIRMED
CISA ordered all Federal Civilian Executive Branch agencies to remediate CVE-2026-50751, a critical authentication bypass in Check Point Remote Access VPN, Mobile Access/SSL VPN and Spark gateways, by end of day June 11 — a three-day deadline far shorter than typical Known Exploited Vulnerabilities remediation windows. The flaw, rated CVSS 9.3 and rooted in a certificate-validation logic error in deployments using the deprecated IKEv1 key exchange protocol, lets unauthenticated remote attackers establish VPN sessions without valid credentials.
Check Point released hotfixes on June 8 and linked at least one intrusion to an affiliate of the Qilin ransomware-as-a-service operation; exploitation began May 7, 2026 and surged in early June, with 'a few dozen' organizations compromised globally, per TechCrunch and BleepingComputer. CISA added the bug to its KEV catalog on June 8 alongside LiteLLM RCE flaw CVE-2026-42271, stating that 'this type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks' to federal systems.
Qilin, active since August 2022 with more than 400 claimed victims, is 2026's most prolific ransomware operation; ZeroFox counted 15 new Qilin victims across nine countries between June 2 and June 5 alone.
Why it matters
a three-day federal patch deadline signals CISA assesses imminent, broad exploitation risk to government VPN edge infrastructure — the same initial-access vector class behind the worst enterprise compromises of 2024-25.
Key facts on file
- CISA added CVE-2026-50751 (CVSS 9.3) to the KEV catalog on June 8, 2026 with a June 11, 2026 remediation deadline for federal civilian agencies
- The authentication bypass affects Check Point Remote Access VPN, Mobile Access/SSL VPN and Spark gateways using the deprecated IKEv1 protocol
- Check Point released hotfixes June 8, 2026 and linked at least one intrusion to a Qilin ransomware affiliate
- Exploitation began May 7, 2026, surged in early June; 'a few dozen' organizations compromised globally
- Qilin has claimed more than 400 victims since August 2022; ZeroFox counted 15 new Qilin victims across nine countries June 2-5, 2026
- The same KEV update added LiteLLM RCE flaw CVE-2026-42271

