An affiliate of the Qilin ransomware took advantage of a Check Point VPN zero-day vulnerability for a month prior to the release of a patch.

      Check Point has patched a critical zero-day vulnerability (CVE-2026-50751) in its Remote Access VPN and Mobile Access products, which was exploited by a Qilin ransomware affiliate since May 7. This flaw, rated with a CVSS score of 9.3, enables an unauthenticated attacker to completely bypass password authentication and create a VPN session by taking advantage of a logic error in certificate validation. The vulnerability impacts VPN setups using IKEv1, a deprecated key exchange protocol still supported for legacy remote access clients.

      Check Point reported detecting suspicious activity on June 4, although the first confirmed exploitation dates back to May 7. The number of attacks increased significantly this month. The company noted that the impact is limited to “a few dozen targeted organisations globally.” In at least one instance, the post-exploitation actions were connected to an affiliate of the Qilin ransomware group, which now predominantly targets corporate VPN appliances for initial access. Check Point indicated that the attackers appear to be leveraging VPN vulnerabilities across multiple vendors, including Palo Alto Networks, Fortinet, and F5.

      The company remarked, “We believe that this threat actor infrastructure is exploiting other VPN related vulnerabilities such as the ones published by Palo Alto, Fortinet, and F5.” Additionally, they identified potential indicators that the actor may be utilizing the Tox protocol for communication, a method often linked with ransomware operators. The attackers conducted intrusions using virtual private servers located in the same country as their targets and attempted to download malicious ELF files from their controlled infrastructure.

      These findings align with a growing trend in 2026 of zero-day exploitation. Google’s Threat Intelligence Group highlighted that criminal and state-sponsored actors are increasingly using previously unknown vulnerabilities, with VPN appliances and network edge devices being among the most frequently targeted. Firewalls, VPNs, and similar edge devices often lack sufficient telemetry for detecting or halting these attacks, resulting in a significant visibility gap across the industry.

      Exploitation of CVE-2026-50751 requires four conditions to be met simultaneously: Remote Access VPN or Mobile Access must be active, IKEv1 must be enabled for remote access, the gateway must accept legacy remote access clients, and it must not require a machine certificate for connections. Check Point clarified that additional post-authentication activity is necessary to access internal resources or escalate privileges, meaning a VPN session alone does not provide complete network access.

      The affected products include Security Gateways across various firmware versions, from R82.10 to end-of-support releases R81, R81.10, and R80.40, as well as Spark firewalls operating on R80.20.X, R81.10.X, and R82.00.X. Since Spark targets small and medium-sized businesses, the vulnerability affects not only large enterprises but also organizations with limited capabilities for swift patching.

      Furthermore, Check Point's investigation revealed a second vulnerability, CVE-2026-50752, with a CVSS score of 7.4. This flaw could facilitate an adversary-in-the-middle attack on site-to-site VPN connections using the same deprecated IKEv1 protocol. There is no current evidence of CVE-2026-50752 being exploited in the wild. Both vulnerabilities have been addressed in the hotfixes released alongside the disclosure.

      The Qilin ransomware group, also known as Agenda, has been notably active among financially motivated threat actors in 2026. A report from Ctrl-Alt-Intel documented the group’s strategic exploitation of corporate VPN appliances, specifically those from WatchGuard and Fortinet, for initial access, deploying the Sliver command-and-control framework before eventually delivering ransomware binaries targeting environments like Linux, ESXi, and Nutanix. The Check Point zero-day vulnerability seems to be the latest addition to this operational playbook.