CISA Warns: Check Point Gateway Vulnerability Explo

A critical vulnerability affecting Check Point Security Gateway products has been added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog. The agency warns that threat actors are actively exploiting this flaw in ongoing ransomware campaigns.

The vulnerability, tracked as CVE-2026-50751, allows unauthenticated remote attackers to bypass user authentication and establish unauthorized VPN connections, posing severe risks to enterprise networks worldwide.

CVE-2026-50751 is an improper authentication vulnerability (CWE-287) residing in the IKEv1 (Internet Key Exchange version 1) key exchange protocol implemented in Check Point Security Gateway.

The flaw enables an unauthenticated remote attacker to bypass standard user authentication mechanisms and establish a remote access VPN tunnel without supplying a valid user password.

IKEv1 is a deprecated protocol used to negotiate and establish IPsec VPN sessions. Despite its legacy status, many organizations continue running it in production environments, a security risk that threat actors are now actively weaponizing.

Successful exploitation gives attackers a foothold directly inside the target network perimeter, effectively neutralizing the gateway’s role as a security boundary.

Active Exploitation and Ransomware Campaigns

CISA added CVE-2026-50751 to the KEV catalog on June 8, 2026, with a mandatory remediation due date of June 11, 2026, for all federal civilian executive branch (FCEB) agencies.

Critically, CISA confirmed the vulnerability is known to be used in ransomware campaigns, elevating the urgency for all organizations, not just federal agencies, to act immediately.

The ability to silently authenticate into a VPN without credentials makes this flaw particularly dangerous as an initial access vector. Ransomware operators routinely target VPN gateways as entry points, enabling lateral movement, data exfiltration, and eventual payload deployment across compromised networks.

The vulnerability affects Check Point Security Gateway products running the IKEv1 protocol for remote access VPN. Organizations using these gateways with IKEv1 enabled are directly at risk. An attacker exploiting this flaw could:

• Bypass multi-factor and password-based authentication entirely
• Establish persistent VPN access to internal network segments
• Move laterally to high-value targets including domain controllers and data repositories
• Deploy ransomware or exfiltrate sensitive data without triggering standard authentication alerts

Mitigations

Check Point has released an official hotfix addressing the vulnerability in deprecated IKEv1 VPN protocol implementations. CISA recommends that organizations take the following steps immediately:

• Apply vendor-issued mitigations per the guidance published in Check Point’s security advisory and support article SK185033
• Follow BOD 22-01 guidance for cloud-based deployments of affected products
• Discontinue use of the product if vendor mitigations cannot be applied in a timely manner
• Disable IKEv1 where it is not explicitly required, and migrate to IKEv2 as the modern, supported alternative

Organizations should also audit VPN authentication logs for anomalous connection attempts that lack corresponding valid credential events, a potential indicator of prior exploitation.

This disclosure underscores the persistent risk posed by legacy protocol support in enterprise security products. VPN gateways are high-value targets precisely because compromising them grants attackers authenticated-looking network access.

Security teams should treat this patch as a critical priority and verify hotfix deployment across all gateway instances before the CISA-mandated deadline.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.