CISA Gives Federal Agencies Three Days to Patch Zero-Day in Check Point VPN Exploited by Qilin
CVE-2026-50751 has a CVSS of 9.3 and allows authentication bypass in IKEv1 deployments; Qilin affiliates have been exploiting the vulnerability since May 7, according to Check Point.
On Sunday night (June 8), CISA added CVE-2026-50751 to its catalog of Known Exploited Vulnerabilities and set a deadline of June 11 for federal agencies within the Federal Civilian Executive Branch to apply the Check Point hotfix, providing only three business days to do so. The vulnerability, which has a CVSS score of 9.3, represents an authentication bypass in Check Point's Remote Access VPN and Mobile Access when configured over the IKEv1 protocol, which is considered deprecated. A remote attacker can establish a VPN session without a valid password by exploiting a logical flaw in the certificate validation process.
Check Point itself confirmed in a statement that active exploitation began on May 7, prior to the patch’s existence, and that the peak of suspicious indicators was observed on June 4. The vendor also identified a second vulnerability during its investigation, CVE-2026-50752, which affects certificate validation in site-to-site communications over IKEv1 and may enable man-in-the-middle interference under specific conditions.
Qilin: The Most Active Ransomware of the Quarter
The attribution did not come from third-party telemetry. Check Point stated it confirmed, in at least one case, post-compromise activity associated with an affiliate of Qilin, a group that has emerged as the most active ransomware operation for three consecutive quarters. Data from the first quarter of 2026 accounts for 338 victims listed by Qilin on the leak site, and the cumulative total for the year has already surpassed 500. Manufacturing comprises 291 victims, corporate services 245, and healthcare 168, according to the PurpleOps database. Between June 2 and June 5, the collective claimed 15 new victims across nine countries, spanning healthcare, hospitality, manufacturing, consumer services, and critical infrastructure.
The attack infrastructure mapped by Check Point Research operates on VPS from Kaupo Cloud HK, Shock Hosting, and Vultr Holdings, all commercial providers that accept decentralized payments. By the time this article was published, Check Point reported "several dozen" organizations affected globally. No victim has been publicly named by the vendor, and none of the organizations listed on Qilin's leak site during the exploitation window have commented directly linking the incident to CVE-2026-50751.
Who Is Exposed
The patch covers Security Gateways in R82.10 (Jumbo Hotfix Take 19 or lower), R82 (Take 103 or lower), and R81.20 (Take 141 or lower), as well as Spark Firewalls in versions R80.20.X, R81.10.X, and R82.00.X. Check Point has made the hotfixes available through the Security Knowledge Base SK185033 and concurrently recommended disabling IKEv1 in favor of IKEv2 in Remote Access and Mobile Access configurations. For customers who maintain IKEv1 for compatibility with legacy VPN clients, the vendor suggests temporarily isolating the service until the fix is applied.
The geographical risk assessment unfolds along two axes. In the United States, where CISA holds coercive power over the FCEB, the June 11 deadline creates immediate operational burdens on federal departments and defense industrial base contractors running Check Point at their perimeters. In Europe, where ENISA does not have equivalent emergency powers, the obligation falls under GDPR reporting requirements should personal data have been accessed, and under NIS2 for operators of essential services. German and French companies with branches in Brazil running centralized corporate VPNs out of Tel Aviv or Frankfurt on Check Point appliances need to map out whether IKEv1 is enabled at any point in their topology: the vector is remote and does not require user interaction.
The window between May 7 and the hotfix spans 32 days of exploitation without a patch, a pattern that repeats for vulnerabilities in edge devices over the past 18 months. Ivanti, Fortinet, Citrix NetScaler, Palo Alto Networks, and now Check Point: the enterprise perimeter has become the ransomware's favorite entry point, and the average time between initial exploitation and disclosure continues to decrease. CISOs who still treat VPN appliances as stable and low-risk infrastructure are misreading the market. Qilin was not the first to exploit this entry point and will not be the last.