Qilin ransomware affiliate exploited Check Point VPN zero-day (CVE-2026-50751)

A Qilin ransomware affiliate is believed to be exploiting CVE-2026-50751, an authentication bypass vulnerability in Check Point VPN Remote Access and Mobile Access, the company announced on Monday.

About CVE-2026-50751

Check Point Remote Access VPN enables and secures connections between corporate networks and remote or mobile devices. Check Point Mobile Access lets mobile and remote workers connect securely to email, calendar, contacts, and corporate applications.

CVE-2026-50751 affects both solutions (i.e., functions on Check Point Security Gateways), but only if they are configured to use the deprecated IKEv1 key exchange protocol. It also affects Check Point’s AI-powered Spark firewalls, which are intended for small and medium-size businesses and managed service providers.

The vulnerability stems from a logic flow weakness and allows remote, unauthenticated attackers to bypass user authentication and establish a remote access VPN connection without a valid user password.

The attacks

According to Check Point, they have first noticed suspicious activity on June 4, 2026, but the first known attacks happened in early May 2026.

“To date, the observed exploitation has been limited to a few dozen targeted organizations globally. One case involved confirmed post-compromise activity associated with Qilin ransomware affiliate,” they shared.

The company has provided indicators of compromise investigators and defenders should be looking out for.

“Incident response teams should prioritize forensic log audits and configuration reviews starting from the earliest observed exploitation date of May 7, 2026. Based upon our observations, exploitation attempts of CVE-2026-50751 increased in early June,” they added.

The one suspected financially motivated attack was mounted by an attacker that uses Qilin ransomware, (possibly) the Tox protocol for communication and (based on one of the shared file hashes) the open-source Rclone software to exfiltrate data.

“The actor used a dedicated virtual private server (VPS) infrastructure to conduct the attacks. Observed infrastructure includes IPs hosted by Kaupo Cloud HK, Shock Hosting, and Vultr Holdings. In some cases, we observed a correlation between the victim organization’s geography and the geolocation of the VPS used in the attack,” Check Point stated.

“We believe that this threat actor infrastructure is exploiting other VPN related vulnerabilities such as the ones published by Palo Alto, Fortinet and F5.”

The company has urged customers to check for indicators of compromise and to upgrade affected instances to a fixed version.

Alternative mitigation steps include making sure that deployments aren’t configured to use the deprecated IKEv1 key exchange protocol, removing support for legacy Remote Access client connections, and making sure the gateways demand a machine certificate to establish connections.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!