9 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
CVE-2026-50751 is a critical authentication bypass vulnerability affecting Check Point Remote Access VPN, Mobile Access / SSL VPN, and Spark Firewall deployments configured to use the deprecated IKEv1 key exchange protocol.
The vulnerability stems from a weakness in certificate validation during the IKEv1 authentication process. An attacker may exploit the flaw to bypass authentication protections and gain unauthorized access to vulnerable VPN environments.
Successful exploitation could enable unauthorized remote access, facilitate lateral movement, establish persistence, and provide a foothold for additional malicious activity within the affected environment.
Check Point Research identified active exploitation of this vulnerability in the wild, and CVE-2026-50751 has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Check Point VPN Authentication Bypass Vulnerability
Identifier: CVE-2026-50751
PoC or Exploitation: Check Point Research identified active exploitation of CVE-2026-50751 in the wild.
CVE-2026-50751 was added to the CISA Known Exploited Vulnerabilities (KEV) Catalog.
CVSS Score: 9.3 (Critical)
Update / Patch:
Check Point has released hotfixes and remediation guidance addressing this vulnerability.
Affected products include:
- Check Point Remote Access VPN
- Check Point Mobile Access / SSL VPN
- Check Point Spark Firewall
Affected versions include:
- R80.20.X (End of Support)
- R80.40 (End of Support)
- R81 (End of Support)
- R81.10 (End of Support)
- R81.10.X
- R81.20
- R82
- R82.00.X
- R82.10
Fixed versions and hotfixes include:
For Security Gateway / Maestro Orchestrator / Security Group:
- R82.10 Jumbo Hotfix Accumulator Take 19 with Hotfix Take 3
- R82.10 Jumbo Hotfix Accumulator Take 6 with Hotfix Take 2
- R82 Jumbo Hotfix Accumulator Take 103 with Hotfix Take 2
- R82 Jumbo Hotfix Accumulator Take 91 with Hotfix Take 2
- R81.20 Jumbo Hotfix Accumulator Take 141 with Hotfix Take 2
- R81.20 Jumbo Hotfix Accumulator Take 127 with Hotfix Take 2
- R81.20 Jumbo Hotfix Accumulator Take 120 with Hotfix Take 2
- R81.20 Jumbo Hotfix Accumulator Take 113 with Hotfix Take 2
For Check Point Spark Firewalls:
- R82.00.10 Build 998002216
- R81.10.17 Build 996004901
Vendor advisory and remediation guidance:
Check Point Support Article:
Description:
CVE-2026-50751 is an authentication bypass vulnerability affecting Check Point Remote Access VPN, Mobile Access / SSL VPN, and Spark Firewall deployments configured to use the deprecated IKEv1 key exchange protocol.
The vulnerability results from a weakness in certificate validation within the IKEv1 authentication process. An attacker can exploit the flaw to bypass authentication protections and gain unauthorized access to vulnerable VPN environments.
Successful exploitation may allow unauthorized remote access to affected systems, facilitate further compromise of internal environments, establish persistence, and provide a foothold for additional malicious activity, including ransomware operations.
Mitigation Recommendation:
Identify systems configured to use the deprecated IKEv1 key exchange protocol and prioritize them for remediation.
Where operationally feasible, disable IKEv1 and migrate Remote Access VPN authentication to IKEv2-only configurations.
Consider configuring Machine Certificate Authentication as mandatory in accordance with Check Point guidance.
Review VPN authentication logs, remote access activity, and administrative events for signs of unauthorized access.
Investigate historical VPN activity for unusual authentications, unfamiliar source IP addresses, or anomalous user behavior.
Conduct compromise assessments on exposed VPN infrastructure where IKEv1 was enabled.
