Security Bulletin: Check Point VPN Authentication Bypass Vulnerability

Written by RedLegg's Cyber Threat Intelligence Team | 6/8/26 10:20 PM

About:

CVE-2026-50751 is a critical authentication bypass vulnerability affecting Check Point Remote Access VPN, Mobile Access / SSL VPN, and Spark Firewall deployments configured to use the deprecated IKEv1 key exchange protocol.

The vulnerability stems from a weakness in certificate validation during the IKEv1 authentication process. An attacker may exploit the flaw to bypass authentication protections and gain unauthorized access to vulnerable VPN environments.

Successful exploitation could enable unauthorized remote access, facilitate lateral movement, establish persistence, and provide a foothold for additional malicious activity within the affected environment.

Check Point Research identified active exploitation of this vulnerability in the wild, and CVE-2026-50751 has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog.

RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.

VULNERABILITIES

Check Point VPN Authentication Bypass Vulnerability

Identifier: CVE-2026-50751
PoC or Exploitation: Check Point Research identified active exploitation of CVE-2026-50751 in the wild.
CVE-2026-50751 was added to the CISA Known Exploited Vulnerabilities (KEV) Catalog.

CVSS Score: 9.3 (Critical)

Update / Patch:

Check Point has released hotfixes and remediation guidance addressing this vulnerability.

Affected products include:

Check Point Remote Access VPN
Check Point Mobile Access / SSL VPN
Check Point Spark Firewall

Affected versions include:

R80.20.X (End of Support)
R80.40 (End of Support)
R81 (End of Support)
R81.10 (End of Support)
R81.10.X
R81.20
R82
R82.00.X
R82.10

Fixed versions and hotfixes include:

For Security Gateway / Maestro Orchestrator / Security Group:

R82.10 Jumbo Hotfix Accumulator Take 19 with Hotfix Take 3
R82.10 Jumbo Hotfix Accumulator Take 6 with Hotfix Take 2
R82 Jumbo Hotfix Accumulator Take 103 with Hotfix Take 2
R82 Jumbo Hotfix Accumulator Take 91 with Hotfix Take 2
R81.20 Jumbo Hotfix Accumulator Take 141 with Hotfix Take 2
R81.20 Jumbo Hotfix Accumulator Take 127 with Hotfix Take 2
R81.20 Jumbo Hotfix Accumulator Take 120 with Hotfix Take 2
R81.20 Jumbo Hotfix Accumulator Take 113 with Hotfix Take 2

For Check Point Spark Firewalls:

R82.00.10 Build 998002216
R81.10.17 Build 996004901

Vendor advisory and remediation guidance:

https://blog.checkpoint.com/security/check-point-releases-important-hotfix-for-vulnerabilities-in-deprecated-ikev1-vpn-protocol/

Check Point Support Article:

https://support.checkpoint.com/results/sk/sk185033

Description:

CVE-2026-50751 is an authentication bypass vulnerability affecting Check Point Remote Access VPN, Mobile Access / SSL VPN, and Spark Firewall deployments configured to use the deprecated IKEv1 key exchange protocol.

The vulnerability results from a weakness in certificate validation within the IKEv1 authentication process. An attacker can exploit the flaw to bypass authentication protections and gain unauthorized access to vulnerable VPN environments.

Successful exploitation may allow unauthorized remote access to affected systems, facilitate further compromise of internal environments, establish persistence, and provide a foothold for additional malicious activity, including ransomware operations.

Mitigation Recommendation:

Identify systems configured to use the deprecated IKEv1 key exchange protocol and prioritize them for remediation.
Where operationally feasible, disable IKEv1 and migrate Remote Access VPN authentication to IKEv2-only configurations.

Consider configuring Machine Certificate Authentication as mandatory in accordance with Check Point guidance.

Review VPN authentication logs, remote access activity, and administrative events for signs of unauthorized access.
Investigate historical VPN activity for unusual authentications, unfamiliar source IP addresses, or anomalous user behavior.
Conduct compromise assessments on exposed VPN infrastructure where IKEv1 was enabled.

View full post