- Check Point Fixes Critical VPN Authentication Bypass Flaw (CVE‑2026‑50751) Used in Ransomware Attacks
- Zero-day exploitation since early May; Qilin deployed ransomware in at least one case
- Customers are urged to apply fixes and mitigations immediately
Check Point has stated that it has fixed a vulnerability in its VPN products that is being used in ransomware attacks against dozens of organizations around the world.
In a published security advisory, the company said it addressed an authentication bypass vulnerability that allowed remote threat actors to establish a remote access VPN connection without a valid user password.
The bug is tracked as CVE-2026-50751 and was assigned a severity score of 9.3/10 (critical).
Applying the solution
Check Point Research Vice President Lotem Finkelstein noted that attacks exploiting this bug began on May 7, 2026, more than a month ago. In early June, the attacks increased in such volume that they caught the attention of Check Point, which realized on June 4 that there was an actively exploited zero-day.
However, Finkelstein attempted to frame the attacks as relatively low-volume: “We have seen signs that the exploitation has been limited to a relatively small number of targeted organizations (several dozen worldwide), primarily in recent days,” he said, adding that in at least one case, the compromise was used to deploy Qilin ransomware.
CVE-2026-50751 is a bug affecting SSL/Mobile Access VPNs, Remote Access VPNs, and Spark firewalls configured to use the deprecated IKEv1 key exchange protocol.
Check Point is now urging its customers to apply the provided fixes, as well as implement mitigations and other hardening methods as soon as possible. You can also find a complete list of Indicators of Compromise (IoC) at this link.
The company did not mention who the victims were or what their industries are, but from previous reports we know that Qilin is a major player that often targets critical infrastructure providers. For example, in February 2026, it added the Transport Workers Union of America (TWU) Local 100 chapter to its data breach site, saying it broke into the organization and already leaked everything it stole on the dark web.
Through The Registry
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
