CISA has added a critical vulnerability in Check Point Security Gateway to its Known Exploited Vulnerabilities (KEV) catalog, warning that threat actors are actively exploiting the flaw in ransomware campaigns.
The vulnerability, tracked as CVE-2026-50751, allows unauthenticated remote attackers to bypass user authentication and establish unauthorized VPN connections, posing severe risks to enterprise networks worldwide.
CVE-2026-50751 is an improper authentication vulnerability (CWE-287) residing in the IKEv1 (Internet Key Exchange version 1) key exchange protocol implemented in Check Point Security Gateway.
The flaw enables an unauthenticated remote attacker to bypass standard user authentication mechanisms and establish a remote access VPN tunnel without supplying a valid user password.
IKEv1 is a deprecated protocol used to negotiate and establish IPsec VPN sessions. Despite its legacy status, many organizations continue running it in production environments, a security risk that threat actors are now actively weaponizing.
Successful exploitation gives attackers a foothold directly inside the target network perimeter, effectively neutralizing the gateway’s role as a security boundary.
Active Exploitation and Ransomware Campaigns
CISA added CVE-2026-50751 to the KEV catalog on June 8, 2026, with a mandatory remediation due date of June 11, 2026, for all federal civilian executive branch (FCEB) agencies.
Critically, CISA confirmed the vulnerability is known to be used in ransomware campaigns, elevating the urgency for all organizations, not just federal agencies, to act immediately.
The ability to silently authenticate into a VPN without credentials makes this flaw particularly dangerous as an initial access vector. Ransomware operators routinely target VPN gateways as entry points, enabling lateral movement, data exfiltration, and eventual payload deployment across compromised networks.
The vulnerability affects Check Point Security Gateway products running the IKEv1 protocol for remote access VPN. Organizations using these gateways with IKEv1 enabled are directly at risk. An attacker exploiting this flaw could:
Bypass multi-factor and password-based authentication entirely
Establish persistent VPN access to internal network segments
Move laterally to high-value targets including domain controllers and data repositories
Deploy ransomware or exfiltrate sensitive data without triggering standard authentication alerts
Mitigations
Check Point has released an official hotfix addressing the vulnerability in deprecated IKEv1 VPN protocol implementations. CISA recommends that organizations take the following steps immediately:
Apply vendor-issued mitigations per the guidance published in Check Point’s security advisory and support article SK185033
Follow BOD 22-01 guidance for cloud-based deployments of affected products
Discontinue use of the product if vendor mitigations cannot be applied in a timely manner
Disable IKEv1 where it is not explicitly required, and migrate to IKEv2 as the modern, supported alternative
Organizations should also audit VPN authentication logs for anomalous connection attempts that lack corresponding valid credential events, a potential indicator of prior exploitation.
This disclosure underscores the persistent risk posed by legacy protocol support in enterprise security products. VPN gateways are high-value targets precisely because compromising them grants attackers authenticated-looking network access.
Security teams should treat this patch as a critical priority and verify hotfix deployment across all gateway instances before the CISA-mandated deadline.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
The post CISA Warns of Check Point Security Gateway Vulnerability Actively Exploited in Ransomware Attacks appeared first on Cyber Security News.
