CVE-2026-50751 is a critical authentication bypass vulnerability in Check Point Remote Access VPN, Mobile Access, and Spark firewalls configured to use the deprecated IKEv1 key exchange protocol, without requiring machine certificates and allowing legacy remote access clients. Unauthenticated attackers can exploit this flaw to establish unauthorized VPN connections. Exploitation has been confirmed in limited targeted attacks since May 7, 2026, including activity associated with the Qilin Ransomware-as-a-Service operation. Check Point has released security updates to address this vulnerability and provided mitigation guidance for environments unable to patch immediately. CISA has added this vulnerability to its Known Exploited Vulnerabilities Catalog and issued a Binding Operational Directive requiring federal agencies to remediate by June 11, 2026.

Successful exploitation allows unauthenticated remote attackers to bypass VPN authentication and gain unauthorized remote access to affected networks. This can lead to post-compromise activities such as ransomware deployment, as confirmed in at least one incident involving the Qilin ransomware group. The vulnerability poses significant risks to organizations using affected Check Point VPN products with vulnerable configurations.

A security update addressing CVE-2026-50751 has been released by Check Point and should be applied immediately. For environments unable to patch promptly, Check Point recommends removing support for legacy remote access clients, configuring VPN authentication to use IKEv2 only, enabling IPS with updated signatures, and enforcing mandatory machine certificate authentication. U.S. federal agencies must comply with CISA's Binding Operational Directive 22-01 by June 11, 2026. Organizations should follow vendor instructions for mitigation or discontinue use if mitigations are unavailable.