Check Point has issued a warning regarding the active exploitation of a critical vulnerability affecting its Remote Access VPN and Mobile Access deployments. This flaw, identified as CVE-2026-50751 with a CVSS score of 9.3, arises from a logic flow weakness in certificate validation. It enables unauthenticated remote attackers to bypass user authentication and establish a VPN connection without a valid password.
According to Check Point, “By exploiting a logic flaw in certificate validation, an attacker can establish a VPN session without possession of a valid password, effectively bypassing authentication requirements.” However, additional actions are necessary post-authentication to access internal resources or escalate privileges.
Affected Products and Versions
The vulnerability impacts several products and versions, including:
- Security Gateways R82.10 Jumbo Hotfix Take 19 or below
- R82 Jumbo Hotfix Take 103 or below
- R81.20 Jumbo Hotfix Take 141 or below
- R81.10 (EOS)
- R81 (EOS)
- R80.40 (EOS)
- Spark Firewalls: R80.20.X (EOS), R81.10.X, and R82.00.X
Successful exploitation requires specific conditions: VPN Remote Access or Mobile Access must be enabled, IKEv1 must be active for remote access, gateways must accept legacy Remote Access clients, and they must not require a machine certificate for connections.
Timeline of Exploitation
Check Point first detected suspicious activity on June 4, 2026, with indications of exploitation dating back to May 7, 2026. The company noted that exploitation efforts have intensified this month, affecting a limited number of targeted organizations globally.
In one instance, the post-exploitation phase was linked to a Qilin ransomware affiliate. Check Point indicated that the threat actor’s infrastructure is also exploiting other VPN-related vulnerabilities from various vendors, including Palo Alto Networks and Fortinet.
Additional Vulnerabilities and Mitigations
Further investigation of the affected VPN components revealed a second vulnerability, CVE-2026-50752, which has a CVSS score of 7.40. This flaw may allow for an adversary-in-the-middle (AitM) attack on VPN site-to-site connections, although there is currently no evidence of its exploitation in real-world scenarios.
Check Point Research stated, “To the best of our knowledge to date, there is no indication the vulnerability was broadly available to other threat actors. The activity is clearly opportunistic and targets vulnerable organizations rather than characterized one.” This highlights the need for organizations to review their configurations and apply necessary mitigations.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
