Ransomware Gang Exploiting Legacy VPN Protocol in US Federal Agencies

According to TechCrunch, CISA is giving US federal agencies until the end of Wednesday to fix an actively exploited VPN vulnerability in the deprecated IKEv1 key exchange protocol. Check Point Research identified active exploitation of CVE-2026-50751, a bug affecting their own VPN offerings. The bug allows an attacker to bypass authentication and establish a VPN connection without knowing the password. Check Point identified Qilin, a software-as-a-service ransomware group, as the culprits in the active exploitation. > To date, the observed exploitation has been limited to a few dozen targeted organizations globally. One case involved confirmed post-compromise activity associated with Qilin ransomware affiliate. Among these organizations are reportedly multiple US federal agencies, who have had the deprecated IKEv1 protocol enabled for some reason. Check Point estimates that the attacks began on May 7, but ramped up in June, when they first noticed the activity. They also believe that Qilin is "exploiting other VPN related vulnerabilities such as the ones published by Palo Alto, Fortinet and F5." It's a mystery why US agencies had a deprecated protocol enabled in the first place. Aside from updating to the patched software immediately, Check Point's remediation steps involve disabling IKEv1 and switching to IKEv2 exclusively and disabling support for legacy clients. While investigating this attack, Check Point found another vulnerability, CVE-2026-50752, although they say they didn't see any evidence of this one being actively exploited in the wild. This vulnerability also involves IKEv1: > A condition in the certificate validation logic of the deprecated > IKEv1 key exchange can allow a man-in-the-middle attack on VPN > site-to-site connections. A ransomware gang actively attacking US infrastructure puts the data of all US citizens at risk, and it could involve bringing down vital infrastructure like water treatment plants and power plants. Situations like this one harken back to the Salt Typhoon cyberattacks, where a Chinese hackers infiltrated American telecom infrastructure, compromising the phone calls and data of over 1 million users. Ironically, they used a legally-mandated Communications Assistance for Law Enforcement Act (CALEA) telecom backdoor. Another attack, Volt Typhoon, involved a years-long campaign targeting US transportation, communication, energy, and water treatment plants. Needless to say, the US government needs to step up their cybersecurity. Disabling deprecated protocols is a no-brainer and should be mandated already across all agencies.