An affiliate of the Qilin ransomware utilized a zero-day vulnerability in Check Point's VPN for a month prior to the availability of a fix.

      TL;DR Check Point has fixed a critical zero-day vulnerability in its VPN products (CVE-2026-50751) that has been exploited since May 7 by a Qilin ransomware affiliate targeting numerous organizations.

      Check Point has identified and patched a significant zero-day vulnerability in its Remote Access VPN and Mobile Access offerings that was exploited by a Qilin ransomware associate for nearly a month before a remedial solution was provided. The vulnerability, designated as CVE-2026-50751 with a CVSS score of 9.3, enables unauthenticated attackers to circumvent password authentication completely and initiate a VPN session by taking advantage of a logic error in certificate validation.

      This flaw impacts VPN setups utilizing IKEv1, an outdated key exchange protocol that Check Point still accommodates for older remote access clients. In a security advisory released on Sunday, the company mentioned that suspicious activity was first detected on June 4, although confirmed exploitation began on May 7. The frequency of such attacks has significantly increased this month.

      Check Point reported that the impact is limited to “a few dozen targeted organizations worldwide.” In at least one incident, the subsequent activity was connected to a Qilin ransomware affiliate, a financially driven group that has increasingly turned to corporate VPN systems as a favored entry point. The company noted that the attackers seem to exploit vulnerabilities in VPN products from various vendors, including Palo Alto Networks, Fortinet, and F5.

      "We believe that this adversarial infrastructure is taking advantage of other VPN-related vulnerabilities such as those disclosed by Palo Alto, Fortinet, and F5," Check Point stated. The firm also observed signs that the actor might utilize the Tox protocol for communication, a tactic often linked to ransomware operators. The attackers employed virtual private servers located in the same country as their targets to carry out the intrusions, subsequently trying to download malicious ELF files from infrastructure controlled by the actors.

      These revelations align with a broader trend of zero-day exploitation that has gained momentum in 2026. Google's Threat Intelligence Group reported last month how both criminal and state-sponsored entities are increasingly leveraging previously unknown vulnerabilities, with VPN appliances and network edge devices consistently among the most targeted categories. Firewalls, VPNs, and other edge devices generally do not offer adequate telemetry to detect or prevent these attacks, creating what researchers describe as a significant visibility gap across the industry.

      To successfully exploit CVE-2026-50751, four conditions must be met at the same time: Remote Access VPN or Mobile Access must be enabled, IKEv1 must be active for remote access, the gateway must support legacy remote access clients, and it must not require a machine certificate for connections. Check Point indicated that additional post-authentication actions are necessary to access internal resources or elevate privileges, meaning a VPN session alone does not provide complete network access.

      The products affected include Security Gateways across various firmware versions, from R82.10 to end-of-support releases R81, R81.10, and R80.40, along with Spark firewalls on R80.20.X, R81.10.X, and R82.00.X. Since Spark is Check Point’s product line for small and medium-sized enterprises, the vulnerability also impacts organizations with fewer resources to promptly implement patches.

      In its investigation, Check Point also discovered a second vulnerability, CVE-2026-50752, with a CVSS score of 7.4, which could facilitate a man-in-the-middle attack on site-to-site VPN connections utilizing the same outdated IKEv1 protocol. There is currently no indication that CVE-2026-50752 has been exploited in the wild. Both vulnerabilities have been addressed in the hotfixes released by Check Point along with the disclosure.

      The Qilin ransomware group, also referred to as Agenda, has been one of the more active financially motivated threat actors in 2026. A Ctrl-Alt-Intel report released last month documented how the group systematically exploited corporate VPN systems, particularly those from WatchGuard and Fortinet, for initial access, deploying the Sliver command-and-control framework before ultimately distributing ransomware binaries targeting Linux, ESXi, and Nutanix environments. The Check Point zero-day appears to be the latest addition to their tactics.