Live Latest activity →
Critical Vulnerability

Critical Check Point VPN Flaw Exploited to Bypass Passw

By

Check Point has warned of active exploitation of a critical vulnerability impacting Remote Access VPN and Mobile Access deployments that are configured to use the deprecated IKEv1 key exchange protoco

What Happened

Check Point has issued an urgent advisory warning that a critical vulnerability, tracked as CVE-2026-50751, is being actively exploited against Remote Access VPN and Mobile Access deployments using the deprecated IKEv1 key exchange protocol. The flaw allows an unauthenticated attacker to bypass password authentication entirely, gaining unauthorized network access. The advisory follows confirmed exploitation in the wild, with security teams observing attempts to leverage the bypass for lateral movement and data exfiltration.

Check Point has released patches and strongly recommends disabling IKEv1 where possible.

Why It Matters

IKEv1 has been officially deprecated for years, yet it remains widely deployed for backwards compatibility in enterprise VPN gateways. This vulnerability enables a complete authentication bypass - no password guessing, no credential theft required. For organizations using Check Point VPN with IKEv1 enabled, the exploit effectively removes the primary access control barrier. Attackers can establish VPN tunnels as any valid user, bypassing MFA if the authentication flow depends on IKEv1 credentials. This represents a direct threat to network segmentation and remote access security postures globally.

Technical Details

CVE-2026-50751 resides in the IKEv1 implementation within Check Point’s Security Gateway software. The flaw permits an attacker to craft a malicious IKEv1 packet that causes the VPN module to skip password validation during the authentication phase. The attack is executed by sending a specially crafted IKE_SA_INIT request and subsequent IKE_AUTH packet that manipulates the state machine to accept the connection without proper credential verification. No authentication headers, cookies, or pre-existing session are required - the exploit is entirely pre-authentication. Systems affected include all Remote Access VPN and Mobile Access deployments using IKEv1, regardless of firmware version prior to the patch.

Indicators of compromise (IOCs) include anomalous IKEv1 negotiation logs showing successful authentication without corresponding LDAP or RADIUS requests, and VPN session logs with unexpected user-agent strings or source IP addresses. Organizations should monitor for VPN connections from IPs not associated with known users, especially those with administrative privileges.

Immediate Risk

The risk is critical for any organization with IKEv1 enabled on Check Point VPN gateways. Exploitation requires no user interaction and no prior access. The window for attack is narrow but immediate - Check Point’s patch is out, but exploitation is confirmed in the wild. Unpatched gateways are at high risk of compromise, particularly those exposed to the internet. Organizations should treat this as an emergency patching priority. If patching cannot be completed immediately, disable IKEv1 as a temporary mitigation. Note that this does not affect IKEv2 configurations, which are recommended as a secure alternative.

Security Insight

The exploitation of CVE-2026-50751 mirrors the attack pattern seen in CVE-2023-46805 (Ivanti VPN authentication bypass), where a legacy protocol feature was weaponized against modern security architecture. The common defensive failure is maintaining deprecated protocol support for “operational continuity” without compensating controls. The actionable takeaway is not just to patch, but to systematically audit all VPN profiles for legacy protocol usage - including IKEv1, PPTP, and L2TP - and require IKEv2 with strong cryptography for all remote access. This incident also highlights a gap in many change management processes: deprecation notices from vendors are often filed away without action. Security teams should schedule quarterly reviews of vendor deprecation timelines and build automated alerts when deprecated features remain enabled in production.

Further Reading

Share:

Never miss a security update

Get real-time security alerts delivered to your preferred platform.

Telegram LinkedIn Mastodon Bluesky

Related News

Medium Mar 23
North Korean Hackers Abuse VS Code Auto-Run Tasks to Deploy StoatWaffle Malware

Microsoft is working to address an ongoing service issue that has intermittently prevented some users from accessing their cloud-based Exchange Online mailboxes via Outlook mobile and Mac desktop clie
Critical Jun 9
Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now

Google has released security updates to address 74 vulnerabilities, including one that has come under active exploitation in the wild. The high-severity vulnerability, tracked as CVE-2026-11645 (CVSS

Medium Jun 9
CISA Announces Winners of the 2026 President’s Cup Cybersecurity Competition

Critical Jun 9
LiteLLM Flaw CVE-2026-42271 Exploited in the Wild, Chains to Unauthenticated RCE

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a high-severity flaw impacting BerriAI LiteLLM to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of

Related Across Yazoul

Advisory critical 2026-06-08
Remote Access VPN bypass exploited in wild (CVE-2026-50751) [PoC]
Intel critical 2026-05-13
Value Exchange International Hit by thegentlemen (May 2026)

Never Miss a Critical Alert

CVE advisories, breach reports, and threat intel — delivered daily to your inbox.