← CIO Briefings · Critical Impact ACTION REQUIRED

Check Point VPN Authentication Bypass CVE-2026-50751 — Ransomware Groups Actively Exploiting

A critical vulnerability in Check Point Security Gateway allows attackers to bypass VPN authentication entirely without any credentials, gaining direct access to internal networks. Ransomware groups are actively using this technique. CISA has issued an emergency three-day remediation deadline. All organisations running Check Point Security Gateways must act immediately.

3 min read

What Happened

A critical security vulnerability (CVE-2026-50751, CVSS score 9.3) has been discovered in Check Point Security Gateway — the firewall and VPN appliance used by thousands of organisations worldwide. The flaw exists in a legacy protocol (IKEv1) used for establishing encrypted VPN connections. An attacker on the internet can exploit this flaw to completely bypass the authentication step, entering the corporate network as if they were a legitimate remote worker — without supplying any username or password. CISA confirmed on 8 June that ransomware operators are actively using this technique in ongoing campaigns.

Business Impact

This vulnerability allows attackers to connect to the internal corporate network from anywhere on the internet with no credentials required. Once connected, they have the same network access as a legitimate remote worker — meaning access to internal file servers, email systems, financial applications, and in many cases, the ability to reach systems that manage the company’s infrastructure. In confirmed incidents, attackers who gained access through similar VPN vulnerabilities have deployed ransomware across entire enterprise networks within 24–48 hours, causing operational disruptions of weeks and ransom demands measured in hundreds of thousands to millions of pounds. The 8 June CISA alert with a three-day deadline reflects the severity of ongoing attacks.

Board-Ready Summary

  • Our VPN gateway may allow attackers to connect to the internal network without requiring a password — a situation equivalent to leaving the front door unlocked
  • Ransomware groups are actively using this technique, meaning the risk is immediate and operational, not theoretical
  • The security team must be directed to apply the emergency fix or disable the affected feature today, not at the next scheduled maintenance window

  1. Immediate (today): Direct the security team to determine whether the organisation runs Check Point Security Gateway with IKEv1 VPN enabled. This is non-negotiable information the board needs confirmed before the end of business today.

  2. Immediate (0–24 hours): If IKEv1 is not actively required by VPN clients, disable it. Check Point advisory sk185033 describes how to disable IKEv1 in the VPN community settings. Disabling IKEv1 eliminates the vulnerability immediately, without a maintenance window.

  3. Immediate (0–24 hours): If IKEv1 cannot be disabled immediately, apply the emergency hotfix published in Check Point advisory sk185033. The hotfix can be applied without a full firmware upgrade.

  4. Short-term (24–48 hours): Review VPN gateway access logs for the past 30 days for authentication events that may indicate prior exploitation — specifically, IKEv1 connections from IP addresses not associated with known employees or offices.

  5. Short-term (this week): Engage the incident response process if any indicators of prior exploitation are found. Assume that any attacker who gained VPN access may have moved laterally within the network and may have established additional persistence.

  6. Ongoing: Establish a process to apply emergency patches to VPN gateways within 24 hours of CISA KEV additions for network perimeter devices. VPN gateways are the most frequently exploited enterprise initial access vector and require a faster patch cadence than standard enterprise software.