The **Cybersecurity and Infrastructure Security Agency (CISA)** has issued a directive to U.S. government agencies, demanding immediate action to secure their **Check Point Remote Access VPN** and **Mobile Access** deployments. This urgent mandate follows the discovery of **CVE-2026-50751**, a critical vulnerability actively exploited in zero-day attacks by affiliates of the **Qilin ransomware** group. This security flaw enables unauthenticated remote attackers to bypass authentication protocols, establishing a remote access VPN connection on targeted **Mobile Access/SSL VPNs**, **Remote Access VPNs**, or **Spark firewalls**. Crucially, the vulnerability specifically impacts instances configured to use the deprecated **IKEv1** key exchange protocol. Affected systems are those where security gateways do not require a machine certificate for connections and accept legacy Remote Access clients. **Check Point**, the Israeli cybersecurity firm, released security updates to address **CVE-2026-50751** on Monday. The company noted that exploitation began on May 7 and saw a significant surge over the past weekend. While the observed exploitation has been limited to "a few dozen" organizations globally, **Check Point** has confirmed at least one incident directly linked to the **Qilin Ransomware-as-a-Service (RaaS)** operation. **Qilin** has been highly active, claiming over 400 victims on its dark web leak site since its emergence in August 2022. "To date, the observed exploitation has been limited to a few dozen targeted organizations globally. One case involved confirmed post-compromise activity associated with **Qilin ransomware** affiliate," **Check Point** stated. "Customers using **IKEv1** key exchange protocol are strongly encouraged to apply the available security updates immediately." For organizations unable to patch immediately, **Check Point** has provided mitigation measures. These include removing support for the legacy remote access client, configuring global properties for Remote Access VPN Authentication to **IKEv2** only, enabling **IPS** and downloading the relevant signatures, and configuring Machine Certificate Authentication as mandatory. ## Feds Ordered to Patch by June 11 **CISA** yesterday added **CVE-2026-50751** to its **Known Exploited Vulnerabilities (KEV) Catalog**. This addition mandates Federal Civilian Executive Branch (**FCEB**) agencies to secure their affected devices by June 11, in accordance with **Binding Operational Directive (BOD) 22-01**. "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," **CISA** remarked. The agency further advised: "Apply mitigations per vendor instructions, follow applicable **BOD 22-01** guidance for cloud services, or discontinue use of the product if mitigations are unavailable." Although **BOD 22-01** primarily targets U.S. federal agencies, **CISA** strongly urged all security teams, including those in the private sector, to deploy patches for **CVE-2026-50751** and fortify their networks without delay. This isn't the first time **Check Point** vulnerabilities have drawn **CISA's** attention. Two years prior, **CVE-2024-24919** in **Check Point's Quantum Security Gateways** was also flagged as actively exploited by ransomware groups, specifically linked to **NailaoLocker ransomware** attacks.