Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreihtg26mnchp3y3aav5fidusvqzevnxr4asvgjgzlspot5afllc6na",
    "uri": "at://did:plc:rrwxywdlrz5fkwj5g4u4jnrk/app.bsky.feed.post/3mnulaupmnm62"
  },
  "coverImage": {
    "$type": "blob",
    "ref": {
      "$link": "bafkreigps7pdmheiuh2snljykr7pxvhhoo4kce6jedyycaxqjxlw5sh7pi"
    },
    "mimeType": "image/jpeg",
    "size": 9439317
  },
  "path": "/article/4182898/check-point-warns-of-ransomware-linked-attacks-exploiting-outdated-vpn-protocol.html",
  "publishedAt": "2026-06-09T11:59:17.000Z",
  "site": "https://www.csoonline.com",
  "tags": [
    "Network Security, Security, VPN, Vulnerabilities",
    "post",
    "IKEv1",
    "CVE-2026-50752",
    "man-in-the-middle",
    "advisory"
  ],
  "textContent": "Check Point has issued emergency hotfixes for a pair of vulnerabilities affecting VPN deployments that still use the deprecated Internet Key Exchange version 1 (IKEv1) protocol, warning that one of the flaws is already being exploited in the wild.\n\nThe more serious issue allows attackers to establish VPN sessions without a valid password, potentially giving them a foothold inside corporate networks. According to the company, attackers have been exploiting the vulnerability since at least early May, with activity accelerating in recent weeks.\n\n“To date, the observed exploitation has been limited to a few dozen targeted organizations globally,” Lotem Finkelstein, vice president of research at Check Point, said in a security blog post. “One case involved confirmed post-compromise activity associated with a Qilin ransomware affiliate.”\n\nThe vulnerabilities affect customers using Remote Access VPN, Mobile Access VPN, and certain Spark Firewall products configured for IKEv1.\n\nWhile the said protocol has been considered legacy technology for years, it remains enabled in some environments for compatibility reasons. Check Point is urging affected customers to apply the newly released hotfixes immediately and, where possible, migrate from IKEv1 to the newer IKEv2 protocol.\n\n## The deprecated protocol became an active risk\n\nThe exploited bug, tracked as CVE-2026-50571, affects deployments that continue to accept IKEv1-based remote access connections.\n\nAccording to Check Point, attackers can exploit a logic oversight in how Remote Access and Mobile Access components validate certificates during the authentication process. Exploitation allows an unauthenticated attacker to establish a VPN connection without supplying a valid user password.\n\nWhile additional steps may be required to access internal resources or escalate privileges, security researchers note that bypassing the VPN login barrier provides attackers with a significant foothold inside targeted environments.\n\nThe vulnerability was put under the “Improper Authentication” CWE tagged at CWE-287, with a CVSS score of 9.3 assigned to it. Affected Check Point Quantum software platform versions, which run on the Gaia operating system powering all Check Point products, include R80.20.X (EOS), R80.40 (EOS), R81 (EOS), R81.10 (EOS), R81.10.X, R81.20, R82, R82.00.X, R82.10.\n\nThe second vulnerability, CVE-2026-50752, emerged during a broader security review conducted as part of Check Point’s investigation into the improper authentication flaw. Researchers reportedly used the company’s BLAST agentic application security platform to analyze the affected VPN components, leading to the discovery of additional weaknesses in certificate validation logic.\n\nUnlike CVE-2026-50571, the newly identified issue does not allow direct authentication bypass. Instead, it could enable a man-in-the-middle attacker to interfere with site-to-site VPN communications if specific conditions are met.\n\nThis flaw received a CVSS score of 7.4, with no exploitation attempts observed in the wild yet.\n\n## Mitigations and patches issued\n\nAffected organizations have received a set of resolutions to help with the problem, starting with an attack detection technique.\n\n“Search your Check Point SmartConsole logs for possible VPN certificate authentication attempts associated with the observed attacker infrastructure and certificate subject names,” Check Point said in an advisory that shared SmartConsole queries for scans around the time range, attacker IP address, and VPN/IKE activities.\n\nAdditionally, the company listed three mitigation tips for protection outside and beyond patches. These include removing support for legacy Remote Access client connections, configuring Global properties for Remote Access VPN authentication to IKEv2 only, and setting the machine certificate authentication as mandatory. Lastly, and most effectively, the company issued a string of downloadable hotfixes corresponding to each affected version, which customers can download and apply for complete and immediate protection.",
  "title": "Check Point warns of ransomware-linked attacks exploiting outdated VPN protocol"
}