A Qilin ransomware affiliate exploited a Check Point VPN zero-day for a month before a patch existed

Check Point has disclosed and patched a critical zero-day vulnerability in its Remote Access VPN and Mobile Access products that a Qilin ransomware affiliate exploited for roughly a month before a fix was available. The flaw, tracked as CVE-2026-50751 with a CVSS score of 9.3, allows an unauthenticated attacker to bypass password authentication entirely and establish a VPN session by exploiting a logic error in certificate validation.

The vulnerability affects VPN deployments configured to use IKEv1, a deprecated key exchange protocol that Check Point still supports for legacy remote access clients. The company said in a security advisory published on Sunday that it first detected suspicious activity on 4 June, but the earliest confirmed exploitation dates to 7 May. Attacks have ramped up significantly this month.

Check Point described the scope as limited to “a few dozen targeted organisations globally.” In at least one case, the post-exploitation activity was linked to a Qilin ransomware affiliate, a financially motivated group that has increasingly relied on corporate VPN appliances as its preferred initial access vector. Check Point said the attackers appear to be exploiting VPN vulnerabilities from multiple vendors, including Palo Alto Networks, Fortinet, and F5.

“We believe that this threat actor infrastructure is exploiting other VPN related vulnerabilities such as the ones published by Palo Alto, Fortinet, and F5,” Check Point noted. The company also identified indicators that the actor may use the Tox protocol for communication, a pattern commonly associated with ransomware operators. The attackers used virtual private servers geolocated to the same country as their targets to conduct the intrusions, then attempted to download malicious ELF files from actor-controlled infrastructure.

The findings align with a broader pattern of zero-day exploitation that has accelerated in 2026. Google’s Threat Intelligence Group documented last month how criminal and state-sponsored actors are scaling their use of previously unknown vulnerabilities, with VPN appliances and network edge devices consistently among the most targeted categories. Firewalls, VPNs, and other edge appliances typically do not provide sufficient telemetry to detect or stop these attacks, creating what researchers call an industry-wide visibility gap.

Successful exploitation of CVE-2026-50751 requires four conditions to be met simultaneously: Remote Access VPN or Mobile Access must be enabled, IKEv1 must be active for remote access, the gateway must accept legacy remote access clients, and it must not demand a machine certificate for connections. Check Point said that additional post-authentication activity is required to access internal resources or escalate privileges, meaning the VPN session alone does not grant full network access.

The affected products include Security Gateways across multiple firmware versions, from R82.10 through end-of-support releases R81, R81.10, and R80.40, as well as Spark firewalls on R80.20.X, R81.10.X, and R82.00.X. Spark is Check Point’s product line for small and medium-sized businesses, which means the vulnerability extends beyond large enterprise deployments to organisations with fewer resources to patch quickly.

Check Point’s investigation also uncovered a second vulnerability, CVE-2026-50752, with a CVSS score of 7.4, which could allow an adversary-in-the-middle attack on site-to-site VPN connections using the same deprecated IKEv1 protocol. There is no evidence that CVE-2026-50752 has been exploited in the wild. Both flaws are addressed in the hotfixes Check Point released alongside the disclosure.

The Qilin ransomware group, also known as Agenda, has been one of the more active financially motivated threat actors in 2026. A Ctrl-Alt-Intel report published last month documented the group’s systematic abuse of corporate VPN appliances, specifically WatchGuard and Fortinet devices, for initial access, deploying the Sliver command-and-control framework before eventually pushing ransomware binaries targeting Linux, ESXi, and Nutanix environments. The Check Point zero-day appears to be the latest addition to that playbook.