Check Point has warned of active exploitation of a critical authentication bypass in its Remote Access VPN and Mobile Access products, tracked as CVE-2026-50751, and has released hotfixes that customers are urged to apply immediately. The flaw carries a CVSS score of 9.3.
By exploiting a logic flaw in certificate validation, a remote attacker can establish a VPN session without a valid password, bypassing authentication entirely. Reaching internal resources or escalating privileges requires further activity once inside, but the initial foothold needs no credentials.
Crucially, the flaw affects only deployments configured to use IKEv1, a deprecated key exchange protocol still supported by Check Point for legacy remote access clients.
The vulnerable products include Mobile Access and SSL VPN, Remote Access VPN, and the company’s Spark firewalls, across versions from R80.20 through R82.10.
A Month of Quiet Exploitation
Check Point began investigating on June 4 after spotting suspicious activity, and traced the earliest exploitation back to May 7, meaning attackers had a roughly month-long head start before the issue surfaced publicly.
Attempts increased sharply in early June. The company said exploitation has so far been limited to a few targeted organizations worldwide.
In one confirmed case, Check Point observed post-compromise activity it assessed with medium confidence as the work of a financially motivated actor using Qilin ransomware.
The same actor infrastructure is believed to be exploiting other VPN vulnerabilities previously disclosed by vendors including Palo Alto Networks, Fortinet, and F5.
The investigation also surfaced a second, lower-severity flaw, CVE-2026-50752, which Check Point identified using its agentic AI code-analysis platform and has not seen exploited.
It echoes a wider trend of AI-based tools accelerating vulnerability discovery, seen recently in Google’s threat intelligence work and Microsoft’s AI bug-hunting research.
What to Do Now
CISA has added CVE-2026-50751 to its Known Exploited Vulnerabilities catalog, urging all organizations to prioritize remediation. Organizations running affected versions should apply Check Point’s hotfix as the priority
For those that cannot patch immediately, Check Point’s advisory offers three alternative mitigations, any one of which closes the exposure: removing support for legacy remote access clients, setting Remote Access VPN authentication to IKEv2 only, or making machine-certificate authentication mandatory.
Because exploitation predates public disclosure by a month, the company advises reviewing VPN logs from at least May 7 onward, and has published indicators of compromise to aid responders hunt for past intrusions.
