{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreihpbzo6sb273skxodsuozz6zyqdecfqbgttyqnqxo2arxj7g2ixgm",
"uri": "at://did:plc:awj2q63kg2v3k5xwsjh2uoe3/app.bsky.feed.post/3mnvftqkyeep2"
},
"coverImage": {
"$type": "blob",
"ref": {
"$link": "bafkreifa7zlttnxf5av3r77ua7z4qqrdcgl4gxxrng43l2ux7k4yulk5km"
},
"mimeType": "image/jpeg",
"size": 284458
},
"description": "According to TechCrunch, CISA is giving US federal agencies until the end of Wednesday to fix an actively exploited VPN vulnerability in the deprecated IKEv1 key exchange protocol.",
"path": "/news/2026/06/10/ransomware-gang-exploiting-legacy-vpn-protocol-in-us-federal-agencies/",
"publishedAt": "2026-06-10T00:01:47.000Z",
"site": "https://www.privacyguides.org",
"tags": [
"TechCrunch",
"deprecated IKEv1",
"CVE-2026-50751",
"Qilin",
"remediation",
"CVE-2026-50752",
"Salt Typhoon",
"Volt Typhoon"
],
"textContent": "According to TechCrunch, CISA is giving US federal agencies until the end of Wednesday to fix an actively exploited VPN vulnerability in the deprecated IKEv1 key exchange protocol.\n\nCheck Point Research identified active exploitation of CVE-2026-50751, a bug affecting their own VPN offerings.\n\nThe bug allows an attacker to bypass authentication and establish a VPN connection without knowing the password.\n\nCheck Point identified Qilin, a software-as-a-service ransomware group, as the culprits in the active exploitation.\n\n> To date, the observed exploitation has been limited to a few dozen targeted organizations globally. One case involved confirmed post-compromise activity associated with Qilin ransomware affiliate.\n\nAmong these organizations are reportedly multiple US federal agencies, who have had the deprecated IKEv1 protocol enabled for some reason.\n\nCheck Point estimates that the attacks began on May 7, but ramped up in June, when they first noticed the activity.\n\nThey also believe that Qilin is \"exploiting other VPN related vulnerabilities such as the ones published by Palo Alto, Fortinet and F5.\"\n\nIt's a mystery why US agencies had a deprecated protocol enabled in the first place.\n\nAside from updating to the patched software immediately, Check Point's remediation steps involve disabling IKEv1 and switching to IKEv2 exclusively and disabling support for legacy clients.\n\nWhile investigating this attack, Check Point found another vulnerability, CVE-2026-50752, although they say they didn't see any evidence of this one being actively exploited in the wild. This vulnerability also involves IKEv1:\n\n> A condition in the certificate validation logic of the deprecated\n> IKEv1 key exchange can allow a man-in-the-middle attack on VPN\n> site-to-site connections.\n\nA ransomware gang actively attacking US infrastructure puts the data of all US citizens at risk, and it could involve bringing down vital infrastructure like water treatment plants and power plants.\n\nSituations like this one harken back to the Salt Typhoon cyberattacks, where a Chinese hackers infiltrated American telecom infrastructure, compromising the phone calls and data of over 1 million users.\n\nIronically, they used a legally-mandated Communications Assistance for Law Enforcement Act (CALEA) telecom backdoor.\n\nAnother attack, Volt Typhoon, involved a years-long campaign targeting US transportation, communication, energy, and water treatment plants.\n\nNeedless to say, the US government needs to step up their cybersecurity. Disabling deprecated protocols is a no-brainer and should be mandated already across all agencies.",
"title": "Ransomware Gang Exploiting Legacy VPN Protocol in US Federal Agencies",
"updatedAt": "2026-06-10T00:01:47.656Z"
}