CISA Orders Federal Agencies to Patch Check Point VPN Flaw by June 11
Key Takeaways
- CVE-2026-50751 carries a 9.3 CVSS score and allows unauthenticated attackers to bypass VPN authentication
- Qilin ransomware affiliates have exploited the flaw since May 7, breaching dozens of organizations
- Only systems using the deprecated IKEv1 protocol without machine certificate requirements are vulnerable
What Happened
The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-50751 to its Known Exploited Vulnerabilities (KEV) Catalog on June 8. Under Binding Operational Directive 22-01, all Federal Civilian Executive Branch agencies must patch or mitigate the vulnerability by June 11. That is a three-day window.
The vulnerability affects Check Point Remote Access VPN, Mobile Access, and Spark firewall products. Unauthenticated attackers can exploit it to bypass authentication entirely and establish a remote VPN connection. The flaw carries a CVSS score of 9.3, placing it firmly in the critical category.
Check Point released security updates on Monday, June 9. The company confirmed that exploitation began on May 7 and surged over the weekend.
Who Is Being Targeted
Check Point says attacks have compromised "a few dozen" organizations worldwide so far. At least one incident has been linked to Qilin, a Ransomware-as-a-Service operation that has claimed over 400 victims on its dark web leak site since August 2022.
“To date, the observed exploitation has been limited to a few dozen targeted organizations globally. One case involved confirmed post-compromise activity associated with Qilin ransomware affiliate.”
— Check Point
The vulnerability only affects instances configured to use the deprecated IKEv1 key exchange protocol. Systems are vulnerable when security gateways do not require a machine certificate for connections and accept legacy Remote Access clients.
Why IKEv1 Remains a Problem
IKEv1 has been considered deprecated for years. IKEv2 replaced it with stronger authentication and better resistance to denial-of-service attacks. Yet many organizations keep IKEv1 enabled for backward compatibility with older clients.
This creates exactly the attack surface that ransomware affiliates exploit. Without mandatory machine certificate authentication, an attacker can impersonate a legitimate VPN user and gain network access without credentials.
Discussion on r/cybersecurity and Hacker News has focused on how long IKEv1 remains active in production environments. Engineers noted this incident is a reminder that legacy feature support remains a top target for persistent threat actors.
How to Mitigate
Check Point recommends applying the available security updates immediately. For organizations that cannot patch right away, the company provided several mitigation steps.
- Remove support for the legacy remote access client
- Configure global properties for Remote Access VPN Authentication to IKEv2 only
- Enable IPS and download the latest signatures
- Configure Machine Certificate Authentication as mandatory
CISA's guidance is blunt: "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable."
Beyond Federal Agencies
While BOD 22-01 applies only to U.S. federal agencies, CISA urged all security teams to deploy patches. Private sector organizations using Check Point VPN products should treat the three-day deadline as their own.
This is not Check Point's first appearance in the KEV Catalog. Two years ago, CISA tagged CVE-2024-24919 in Check Point's Quantum Security Gateways as actively exploited by ransomware gangs. That vulnerability was confirmed by Orange Cyberdefense CERT.
Logicity's Take
Another critical zero-day patched this week
Timeline of Events
Frequently Asked Questions
Which Check Point products are affected by CVE-2026-50751?
Check Point Remote Access VPN, Mobile Access, and Spark firewalls are affected. Only instances using the deprecated IKEv1 protocol without mandatory machine certificate authentication are vulnerable.
What is the severity of the Check Point VPN vulnerability?
CVE-2026-50751 has a CVSS score of 9.3, making it a critical vulnerability. It allows unauthenticated attackers to bypass authentication and establish VPN connections.
Who is exploiting this vulnerability?
Qilin ransomware affiliates have been linked to at least one confirmed breach. Qilin is a Ransomware-as-a-Service operation with over 400 claimed victims since August 2022.
What should organizations do if they cannot patch immediately?
Check Point recommends removing legacy remote access client support, configuring VPN authentication for IKEv2 only, enabling IPS with updated signatures, and making machine certificate authentication mandatory.
Does the CISA mandate apply to private companies?
The Binding Operational Directive 22-01 applies only to Federal Civilian Executive Branch agencies. However, CISA has urged all organizations, including private sector companies, to patch immediately.
Need Help Implementing This?
Source: BleepingComputer
Huma Shazia
Senior AI & Tech Writer
Related Articles
Browse all
Kraken Crypto Exchange Extortion: Hackers Threaten to Leak Internal Videos After Insider Breach
Cryptocurrency exchange Kraken is being extorted by hackers who obtained videos of internal systems through bribed support employees. The company says no funds were compromised and refuses to pay, with only about 2,000 accounts affected. Kraken is working with federal law enforcement to prosecute everyone involved.
Windows 11 KB5083769 and KB5082052: April 2026 Patch Tuesday Brings Smart App Control Changes and Security Fixes
Microsoft's April 2026 Patch Tuesday updates are now live for Windows 11, bringing critical security patches alongside a welcome change to Smart App Control. You can finally toggle SAC on or off without wiping your entire system. The updates cover versions 23H2, 24H2, and 25H2.
Zero Trust Identity Security: 5 Ways This Framework Actually Stops Credential Theft
Stolen credentials caused 22% of breaches in 2025, making them the top attack vector. Zero Trust promises to fix this, but only when it's built around identity as the core principle. Here's how organizations can implement it properly.
Open Source PR Backlogs: Why Your GitHub Contribution Sits Unreviewed for a Year
A developer's Jellyfin pull request has been waiting over a year for merge despite two approvals, exposing a systemic crisis in open source maintenance. Queuing theory explains why backlogs grow exponentially, and 60% of maintainers have quit or considered quitting due to burnout.
Also Read
AMD RDNA 5 GPUs Delayed to Late 2027 or Early 2028
Graphics card manufacturers at Computex report AMD's next-generation RDNA 5 architecture won't arrive until late 2027 at the earliest. The delay adds a full year to AMD's GPU release cycle, reflecting broader industry shifts toward AI hardware over gaming.
Rippl Launches Trust-First Social Commerce Platform in India
Indian startup Rippl has unveiled a social commerce platform that replaces anonymous reviews with recommendations from verified users. The platform aims to address what it calls a 'trust deficit' in online discovery, where fake ratings and paid endorsements have eroded consumer confidence.
French Government Messaging App Tchap Breached via Hijacked Account
A threat actor used a compromised user account to breach Tchap, France's encrypted messaging platform for civil servants. The attacker claims to have scraped over 640,000 messages and exfiltrated 13.5GB of data from public chat rooms.