Qilin Ransomware Exploits Critical Check Point VPN Zero-Day (CVE-2026-50751)

A critical authentication bypass in Check Point's Remote Access VPN has been quietly exploited since 7 May, and at least one of the resulting intrusions ended in Qilin ransomware. CISA has given US federal agencies just three days to patch. If your organisation still accepts IKEv1 VPN connections, this story is about you.

What Happened

On 8 June, Check Point disclosed CVE-2026-50751, a critical authentication bypass (CVSS 9.3) affecting Remote Access VPN, Mobile Access and Spark gateways configured to use the deprecated IKEv1 key exchange protocol. A logic flaw in certificate validation lets an unauthenticated attacker establish a VPN session without a valid password. Check Point Research confirmed exploitation in the wild since 7 May 2026, with activity surging in early June across a few dozen targeted organisations, including one confirmed case of post-compromise activity tied to a Qilin ransomware affiliate that used the open-source Rclone tool to exfiltrate data. During the investigation Check Point also found a second flaw, CVE-2026-50752, affecting certificate validation on site-to-site IKEv1 connections; it could enable man-in-the-middle attacks, though no exploitation has been observed so far.

Why It Matters

VPN gateways remain one of the most reliable entry points for ransomware operators, and this is the latest in a line of perimeter zero-days that includes recent Palo Alto Networks GlobalProtect flaws. Qilin is no stranger to Australia: the group was linked to the attack on Court Services Victoria and has claimed nearly 400 victims since 2022, including pathology provider Synnovis, Nissan and Asahi. Australian organisations running Check Point gateways that still accept legacy IKEv1 clients, a configuration that persists in many long-lived enterprise environments, are squarely in scope.

What Security Teams Should Do Now

• Apply Check Point's hotfix to all Remote Access VPN, Mobile Access and Spark gateways now. CISA gave US federal agencies until 11 June; that is a sensible benchmark for your own patch window.

• Disable IKEv1 and set Remote Access VPN authentication to IKEv2 only in global properties.

• Make machine certificate authentication mandatory and remove support for legacy remote access clients.

• If patching must wait, enable IPS and download Check Point's latest signatures as an interim control.

• Hunt back to 7 May: review VPN authentication logs for unfamiliar sessions and check internal hosts for Rclone or other exfiltration tooling.

• While you are in the console, confirm site-to-site VPN configurations are not exposed to CVE-2026-50752.

Aurian's Take

The pattern here is familiar and worth naming: the vulnerability lives in a protocol that has been deprecated for years but never switched off. IKEv1 support lingers in enterprise environments because it works and nobody owns the job of retiring it. Ransomware affiliates have noticed. Buying or finding one authentication bypass on an edge device now beats a thousand phishing emails, which is why VPN gateways, firewalls and file transfer appliances keep appearing at the start of intrusion timelines. Your perimeter is being audited constantly; the only question is by whom.

This is precisely the class of exposure that regular penetration testing is built to find. An external security assessment that covers the perimeter will flag IKEv1 acceptance, missing machine certificate requirements and legacy client support long before an affiliate does, and a retest after remediation confirms the door actually closed. Aurian's testers see configuration drift like this often: gateways patched diligently for years while a deprecated protocol sits enabled underneath. Point-in-time compliance reviews rarely catch it. Adversarial testing, repeated as your environment changes, does.

CVE-2026-50751 will not be the last VPN zero-day, but legacy configuration is the one part of this story every organisation controls. To find out how Aurian can help your organisation assess its exposure, get in touch.