The Cybersecurity and Infrastructure Security Agency (CISA) added a Check Point Remote Access VPN and Mobile Access authentication bypass bug that has been exploited since May 7 to its Known Exploited Vulnerabilities (KEV) list.CISA said the CVSS 9.3 flaw — CVE-2026-50751 — has been letting unauthenticated remote attackers bypass user authentication and establish a remote access VPN connection with a valid user password.The security agency gave federal agencies until June 11 to patch the bug.Check Point, which patched the flaw on June 8, said the exploitation has been limited to a few dozen targeted organizations globally.However, the Israeli cybersecurity vendor said one case involved confirmed post-compromise activity associated with a Qilin ransomware affiliate.“This is a patch-now — not patch-soon — vulnerability,” said Matthew Hartman, chief strategy officer at the Merlin Group. “CVE-2026-50751 allows attackers to establish a Check Point VPN session without valid credentials under certain configurations, effectively giving them a path through the organization’s front door, and a Qilin ransomware affiliate has already been linked to post-compromise activity.”Hartman said the critical detail is that exploitation reportedly began about a month before patches were released by Check Point, so updating closes the door but doesn’t answer whether an attacker already got in.“Organizations running affected deployments should patch immediately, review VPN logs for suspicious access dating back to early May, and hunt for signs of lateral movement,” said Hartman.Denis Calderone, principal and CTO at Suzu Labs, said we’re very much in a "patch now" situation. CISA's June 11 remediation deadline is one of the shortest we've seen, which reflects that CVE-2026-50751 is an actively exploited authentication bypass vulnerability affecting Check Point VPN deployments.Calderone said what makes this case particularly notable is that the vulnerability only affects deployments still running the deprecated IKEv1 key exchange protocol. IKEv1 has been retired for years, but many organizations leave it enabled for backward compatibility. Calderone explained that the backward compatibility effectively became an attack path.“This follows a broader pattern we've seen across major VPN vendors over the past year, where attackers are systematically targeting internet-facing remote access infrastructure,” said Calderone.Calderone said teams should immediately apply Check Point's Hotfix 1, disable IKEv1, and enforce IKEv2 for remote access VPN connections. Security teams should also use this as an opportunity to identify and eliminate other deprecated protocols and legacy services that remain enabled in production environments, because those often become the easiest path for attackers to exploit.John Strand, owner at Black Hills Information Security, Inc., added that these are exactly the types of vulnerabilities that CISOs should worry about, not just the ones that will be discovered tomorrow, but the ones already sitting in their backlog today.“In the age of AI systems like Mythos and whatever comes after it, finding a vulnerability is only part of the equation,” said Strand. “The process of developing reliable exploits is becoming increasingly automated, which means unpatched vulnerabilities are likely to become far more dangerous than they were in the past.”
Vulnerability Management, Patch/Configuration Management
CISA adds Check Point VPN bug to list of exploited vulnerabilities
(Adobe Stock)
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds