**Check Point** has issued critical security updates to address a zero-day vulnerability, tracked as **CVE-2026-50751**, that has been actively exploited in the wild. The flaw impacts **Check Point** Remote Access VPN and Mobile Access deployments, allowing unauthenticated attackers to bypass authentication. ### Critical VPN Flaw Under Active Attack The vulnerability, **CVE-2026-50751**, enables remote attackers to establish a VPN connection without proper authentication on targeted Mobile Access / SSL VPNs, Remote Access VPNs, or Spark firewalls. Exploitation began on May 7th, with a surge in activity observed in early June. **Check Point** has confirmed that the attacks have affected "a few dozen" organizations globally. Disturbingly, at least one of these incidents has been directly linked to post-compromise activity by the **Qilin ransomware** affiliate. ### The Vulnerability Explained This critical flaw specifically targets deployments configured to use the deprecated **IKEv1** key exchange protocol. Furthermore, affected systems are those with security gateways that accept legacy Remote Access clients and do not mandate a machine certificate for connections. **Check Point Research** emphasized the urgency of the situation: "Check Point Research has identified active exploitation of **CVE-2026-50751**, a critical authentication bypass vulnerability affecting **Check Point** Remote Access VPN and Mobile Access deployments configured to use the deprecated **IKEv1** key exchange protocol... Customers using **IKEv1** key exchange protocol are strongly encouraged to apply the available security updates immediately." ### Mitigation and a Second Discovery For organizations unable to apply patches immediately, **Check Point** has provided several mitigation measures. These include removing support for the legacy remote access client, configuring global properties for Remote Access VPN Authentication to **IKEv2** only, making Machine Certificate Authentication mandatory, and enabling IPS with updated signatures. During their investigation into **CVE-2026-50751**, **Check Point** uncovered a second vulnerability, **CVE-2026-50752**. This flaw affects certificate validation within the deprecated **IKEv1** key exchange, potentially allowing man-in-the-middle attacks on site-to-site VPN connections. While there is no evidence of **CVE-2026-50752** being exploited in the wild, customers are advised to apply updates to mitigate any potential exposure. ### Understanding Qilin's Threat The **Qilin ransomware** operation, initially known as "Agenda," emerged in August 2022 as a prominent **Ransomware-as-a-Service (RaaS)** provider. Since its inception, the group has claimed responsibility for nearly 400 victims, often listing them on its dark web leak site. **Qilin** has targeted a diverse range of high-profile organizations across various sectors. Notable victims include automotive giant **Yangfeng**, Japanese car manufacturer **Nissan**, beer company **Asahi**, publishing giant **Lee Enterprises**, pathology services provider **Synnovis**, and **Australia's Court Services Victoria**. The confirmed link between **Qilin** and the **Check Point** VPN zero-day highlights the persistent and evolving threat posed by such sophisticated ransomware groups.