CISA has ordered US government agencies to protect their Check Point Remote Access VPN and Mobile Access deployments against critical vulnerabilities that were exploited in zero-day attacks by Qilin ransomware affiliates.
Unauthorized remote attackers could use this security flaw (tracked as CVE-2026-50751) to bypass authentication and establish a remote access VPN connection to targeted Mobile Access/SSL VPNs, Remote Access VPNs, or Spark firewalls.
The vulnerability only affects instances configured to use the deprecated IKEv1 key exchange protocol, with firewalls that do not require a machine certificate to connect and accept legacy Remote Access clients.
Israeli company Check Point released security updates to address CVE-2026-50751 on Monday, marking it as an exploit in an attack that began on May 7 and erupted over the weekend.
Although the attack led to the breach of “a few” organizations around the world, Check Point linked at least one incident to the Qilin Ransomware-as-a-Service (RaaS) operation, which has killed more than 400 victims in its dark web leak since it appeared in August 2022.
“So far, the exploits noted have been limited to a few targeted organizations around the world. One case involved post-compromise activity related to the Qilin ransomware affiliate,” the company said. “Customers using the IKEv1 key exchange protocol are strongly encouraged to apply available security updates as soon as possible.”
Check Point also shares ways to mitigate those who can’t patch, advising them to remove legacy remote access client support, configure the Remote Access VPN Authentication global fields to IKEv2 only, enable IPS and download signatures, and configure Machine Certificate Verification as mandatory.
The Feds are ordered to finish on June 11
Yesterday, CISA added CVE-2026-50751 to its catalog known as Known Exploited Vulnerabilities (KEV), ordering the agencies of the Federal Civilian Executive Branch (FCEB) to protect their devices by June 11, as ordered by Binding Operational Directive (BOD) 22-01.
“This type of vulnerability is a common attack by malicious actors and poses a significant risk to government business,” the cybersecurity agency noted.
“Use mitigations in each vendor’s instructions, follow applicable BOD 22-01 guidelines for cloud services, or stop using the product if mitigations are not available.”
Although this binding work order applies only to US government agencies, CISA urged all security groups (including those in the private sector) to deploy patches for CVE-2026-50751 and secure their organizations’ networks as soon as possible.
Two years ago, CISA flagged another vulnerability (CVE-2024-24919) in Check Point’s Quantum Security Gateways as being actively exploited by ransomware groups, confirming an Orange Cyberdefense CERT report linking it to the NailaoLocker ransomware attack.
Security teams penetrate 54% of successful attacks and monitor 14%. Some walk around the area without being seen.
The Picus white paper shows how breaches and attack simulations evaluate your SIEM and EDR rules so that threats stop slipping through detection.
Get a white paper
