Security Advisory - Published 2026-06-08 - Active exploitation

Check Point CVE-2026-50751: IKEv1 VPN Auth Bypass Self-Check

CVE-2026-50751 affects Check Point Remote Access VPN and Mobile Access deployments that still use the deprecated IKEv1 key exchange. Check Point says the issue can let an unauthenticated remote attacker establish a VPN session without a valid password, and the vendor has observed exploitation in the wild.

Priority: Treat this as an incident-response check if IKEv1 is enabled. Check Point's advisory says responders should review logs from 2026-05-07 onward.

Who is affected

  • Product family: Check Point Remote Access VPN, Mobile Access / SSL VPN, and Spark Firewall
  • Configuration: deprecated IKEv1 key exchange still enabled
  • CVE: CVE-2026-50751
  • CVSS: 9.3 in Check Point's advisory
  • Observed exploitation: yes, according to Check Point
  • Related issue: CVE-2026-50752 affects some IKEv1 site-to-site VPN scenarios

Fast triage

  1. Confirm IKEv1 exposure. In SmartConsole or the gateway VPN configuration, check whether Remote Access VPN or Mobile Access still accepts IKEv1.
  2. Check affected versions. Check Point lists R80.20.X, R80.40, R81, R81.10, R81.10.X, R81.20, R82, R82.00.X, and R82.10 in the advisory table.
  3. Apply the hotfix. Use the vendor SK for exact package and gateway guidance.
  4. Disable IKEv1 if possible. Move Remote Access and Mobile Access users to IKEv2 where your environment supports it.
  5. Review VPN logs from 2026-05-07. Prioritize successful VPN sessions from unfamiliar networks and sessions that do not match normal user geography.

Log checks to run with your firewall team

Do not stop at a version check. If the gateway accepted IKEv1 before the hotfix, look for successful access followed by internal movement.

  • Successful Remote Access VPN sessions using IKEv1.
  • VPN sessions from new hosting providers, VPS ranges, or countries not used by your staff.
  • VPN access followed by SMB enumeration, RDP login attempts, backup access, or abnormal file transfers.
  • New administrator activity after the VPN session.
  • Endpoint events involving unknown ELF binaries, cloud sync tools, or unusual outbound traffic.

Containment path

  1. Patch first where you can. Apply the Check Point hotfix for the affected gateway line.
  2. Disable or restrict IKEv1. If business requirements force temporary IKEv1 use, narrow the allowed source networks and monitor heavily.
  3. Reset exposed access. Rotate VPN credentials, API keys, and privileged accounts that were reachable from VPN clients.
  4. Review internal access. Treat suspicious VPN sessions as a foothold, not the final event.
  5. Preserve evidence. Keep gateway logs, SmartEvent exports, endpoint telemetry, and firewall rule changes before cleanup.

When to request help

Ask for help if the gateway used IKEv1, you see successful VPN sessions from unknown infrastructure, or a VPN session was followed by lateral movement. Start from Ping7 CVE repair and include the gateway version, whether IKEv1 was enabled, and the first suspicious login time.

References