New CVE Leaves Check Point Users Exposed to Hacks

A Qilin ransomware affiliate is suspected of exploiting CVE-2026-50751, a zero-day authentication bypass vulnerability affecting Check Point Remote Access VPN, Mobile Access, and Spark firewalls when configured with the IKEv1 key exchange protocol. The flaw allows a remote unauthenticated attacker to establish a VPN connection without a valid user password, effectively bypassing one of the most trusted perimeter access controls. Check Point observed suspicious activity on June 4, 2026, but attacks appear to have started as early as May 7, with exploitation increasing in early June and affecting dozens of targeted organizations globally.

The confirmed post-compromise activity linked to Qilin shows the classic ransomware pattern: exploit edge access, establish persistence, move into the network, exfiltrate data, and prepare encryption. Indicators point to attacker-controlled VPS infrastructure, possible use of the Tox protocol for communication, and Rclone for data exfiltration. The incident is especially serious because attackers are not simply breaching endpoints — they are exploiting VPN and firewall infrastructure. If those systems are compromised or misconfigured, attackers can enter through the “front door” while appearing like legitimate remote users.

Stopping attacks like this requires a unified cyber defense platform that continuously monitors VPNs, firewalls, endpoints, identities, and network traffic in one security data lake like NIKSUN. Here, such a platform could correlate CVE detection, external attacks, VPN configurations, IKEv1 exposure checks, Check Point gateway logs, RADIUS/LDAP/AD authentication events, NetFlow/IPFIX, DNS, full packet capture, and L2–L7 network session analytics. That unified visibility allows teams to detect the full chain - a vulnerable gateway exposed, a suspicious VPN tunnel created without valid authentication, abnormal lateral movement, outbound Rclone transfers to VPS infrastructure, and ransomware staging on endpoints - before it is too late.
Read more about this story on our LinkedIn page

We use cookies to offer you a better browsing experience and to analyze site traffic. By using our site, you consent to our use of cookies.

Essential Cookies
Site Analytics