Check Point Research has discovered an actively exploited authentication vulnerability in Remote Access VPN and Mobile Access environments that use the outdated IKEv1 protocol. Due to a certificate validation flaw, an attacker can log in without a valid password. An affiliate of the Qilin ransomware group has already been implicated in at least one incident.
Check Point Research launched an investigation on June 4, 2026, following indications of suspicious activity. That investigation revealed an actively exploited vulnerability: CVE-2026-50751. The flaw resides in the VPN Remote Access and Mobile Access functionality of Check Point products when configured with the outdated IKEv1 key exchange protocol.
Due to a logic flaw in the certificate validation, an attacker can establish a remote VPN session without a valid password. After gaining that initial access, additional steps are required to access internal resources or escalate privileges. The first known attack attempts date back to May 7, 2026, but activity clearly increased in early June.
Qilin ransomware already identified in one incident
So far, exploitation attempts have been limited to a few dozen organizations worldwide. However, in one case, actual post-compromise activity was observed following initial access, which is attributed to an affiliate of the Qilin ransomware group.
Check Point assesses with moderate confidence that the actor behind the attacks is financially motivated. The group uses the Tox protocol for communication—a pattern commonly seen among ransomware actors—and leverages dedicated virtual private server infrastructure from providers such as Kaupo Cloud HK, Shock Hosting, and Vultr Holdings. The geolocation of the VPS servers used sometimes corresponds to the location of the victim organizations. For example, attacks on organizations in Taiwan also utilized infrastructure hosted in Taiwan.
Qilin is one of the most active ransomware groups in 2026. According to Check Point Research, Qilin recorded more victims in Q1 2026 than the bottom fifty ransomware groups combined. Security researchers at MoxFive have already documented more than five hundred Qilin victims in 2026.
Second vulnerability discovered via AI platform BLAST
During the investigation into CVE-2026-50751, Check Point Research conducted an extensive analysis using BLAST, its proprietary agent-based application security platform. This led to the discovery of a second vulnerability: CVE-2026-50752. This vulnerability also relates to certificate validation in the outdated IKEv1 protocol and, under specific circumstances, could enable man-in-the-middle attacks on site-to-site VPN communications.
No active exploitation of CVE-2026-50752 has been observed yet. Nevertheless, Check Point advises customers to install the available updates for this vulnerability as well. Check Point estimates that the threat actor behind CVE-2026-50751 is also exploiting VPN vulnerabilities in products from other vendors, including Palo Alto Networks, Fortinet, and F5.
Tip: Police take First VPN offline after five-year investigation