WatchTowr researchers have disclosed a technical analysis and a “Detection Artefact Generator” for CVE-2026-50751, an authentication bypass flaw in Check Point’s Remote Access VPN and Mobile Access, which the vendor confirmed to be actively exploited.
The attacks were limited, but with this information now public, a larger wave of opportunistic attacks may be expected.
From silent exploitation to public disclosure
CVE-2026-50751 was patched by Check Point on June 8, 2026, and the company said that in-the-wild exploitation stretches back to early May.
A few dozen organizations were targeted prior to the release of a patch, they shared, with at least one incident linked to a Qilin ransomware affiliate.
WatchTowr Labs researcher McCaulay Hudson published today a technical breakdown of the flaw, explaining how the vulnerable code allows a connecting client to manipulate authentication flags via a custom Vendor ID payload during IKEv1 negotiation, and demonstrated that this could be escalated into a full authentication bypass.
He also built and published a proof-of-concept IKEv1 client that completes phase-1 negotiation with a random signature, and allows remote, unauthenticated attackers to log in as a provisioned Remote Access user without a valid certificate, private key, or password.
The PoC’s README file explains that a Check Point Security Gateway with Remote Access VPN and Mobile Access blades is exposed when it’s configured for the legacy IKEv1 path and connections from legacy Remote Access clients are allowed.
As previously noted by the vendor, a third pre-requisite for a successful attack is that the gateway doesn’t ask for a machine certificate to establish connections.
According to the researcher, the certificate-authentication bypass works against the Certificate, Certificate with enrollment, and Mixed user-authentication methods, but the plain Legacy (username/password) method remains unaffected.
Hudson also said that the authentication bypass works over TCP 443, if UDP access is blocked/filtered.
Patch, mitigate, remediate
Check Point has shared indicators of compromise related to the initial attacks, so organizations’ defenders can check whether their gateways have been targeted.
They have advised customers to apply the hotfixes that patch CVE-2026-50751 and an additional certificate-validation flaw (CVE-2026-50752).
Organizations running affected Check Point Security Gateways and Spark Firewall products that have not yet applied hotfix for CVE-2026-50751 should do so immediately.
Where patching cannot be completed right away or at all (i.e., on unsupported versions), administrators should consider disabling legacy IKEv1/Remote Access client support and enforcing mandatory machine-certificate authentication.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
