TL;DRCheck Point patched a critical VPN zero-day (CVE-2026-50751) exploited since May 7 by a Qilin ransomware affiliate targeting dozens of organisations.
Check Point has disclosed and patched a critical zero-day vulnerability in its Remote Access VPN and Mobile Access products that a Qilin ransomware affiliate exploited for roughly a month before a fix was available. The flaw, tracked as CVE-2026-50751 with a CVSS score of 9.3, allows an unauthenticated attacker to bypass password authentication entirely and establish a VPN session by exploiting a logic error in certificate validation.
The vulnerability affects VPN deployments configured to use IKEv1, a deprecated key exchange protocol that Check Point still supports for legacy remote access clients. The company said in a security advisory published on Sunday that it first detected suspicious activity on 4 June, but the earliest confirmed exploitation dates to 7 May. Attacks have ramped up significantly this month.
Check Point described the scope as limited to “a few dozen targeted organisations globally.” In at least one case, the post-exploitation activity was linked to a Qilin ransomware affiliate, a financially motivated group that has increasingly relied on corporate VPN appliances as its preferred initial access vector. Check Point said the attackers appear to be exploiting VPN vulnerabilities from multiple vendors, including Palo Alto Networks, Fortinet, and F5.
