IKEv1 VPN Flaw Bypasses Passwords, Linked to Qilin Ransomware

Check Point has warned that attackers are actively exploiting a certificate-validation flaw in IKEv1-based remote access and mobile VPN deployments. Tracked as CVE-2026-50751 and scored 9.3, the vulnerability lets an unauthenticated actor establish a VPN session without a valid user password.

In its advisory, Check Point wrote, “By exploiting a logic flaw in certificate validation, an attacker can establish a VPN session without possession of a valid password, effectively bypassing authentication requirements.” The company added that additional post-authentication actions are required to access internal resources or escalate privileges.

The flaw is a logic flow error in certificate validation that bypasses user authentication. Successful exploitation requires that Remote Access or Mobile Access is enabled, IKEv1 is allowed for remote access, gateways accept legacy remote access clients, and gateways do not require a machine certificate for connections.

Affected products include multiple Security Gateway and Spark Firewall releases. Examples listed by the vendor include Security Gateways R82.10 Jumbo Hotfix Take 19 or below, R82 Jumbo Hotfix Take 103 or below, R81.20 Jumbo Hotfix Take 141 or below, and end-of-support R81.10, R81 and R80.40. Spark Firewall releases cited include R80.20.X, R81.10.X and R82.00.X. The advisory provides version details for administrators to check.

Check Point first observed suspicious activity on June 4, 2026, and traced the earliest exploitation to May 7, 2026. Exploitation attempts increased starting in June 2026 and have been limited to a few dozen targeted organizations worldwide. In at least one incident the initial access was used in ransomware activity linked to a Qilin affiliate.

Investigators found indicators that the attacker infrastructure is also being used to probe VPN vulnerabilities from other vendors and that the actors may use the Tox protocol for communications. The campaigns used virtual private servers geolocated to the target country and attempted to download malicious ELF binaries from actor-controlled servers after initial access.

A second issue, CVE-2026-50752 with a CVSS score of 7.4, was identified in affected VPN components. That flaw could enable an adversary-in-the-middle attack against site-to-site VPN connections; there is no evidence it has been exploited in the wild.

The advisory urges administrators to review gateway settings for IKEv1 support, legacy client acceptance and machine certificate requirements and to consult the published version list to determine exposure and apply available mitigations.