{"uuid": "fffc13ab-f757-4d28-ad4f-1ad8befc0945", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50751", "type": "seen", "source": "https://gist.github.com/alon710/d5e17169de3d451d7d6cd197f2a5e3cc", "content": "# CVE-2026-50751: CVE-2026-50751: Authentication Bypass in Check Point Security Gateway IKEv1 Legacy Validation\n\n> **CVSS Score:** 9.3\n> **Published:** 2026-06-08\n> **Full Report:** https://cvereports.com/reports/CVE-2026-50751\n\n## Summary\nAn improper authentication vulnerability (CWE-287) exists in the legacy, deprecated Internet Key Exchange version 1 (IKEv1) key exchange protocol implementation in Check Point Security Gateways. The vulnerability is caused by a logic flow weakness during the certificate validation process for Remote Access VPN and Mobile Access (SSL VPN) connections. An unauthenticated remote attacker can exploit this weakness to bypass user authentication entirely, establishing a fully functional Remote Access VPN connection without a valid password.\n\n## TL;DR\nA logic flow weakness in Check Point Security Gateway IKEv1 certificate validation allows unauthenticated remote attackers to bypass authentication and establish Remote Access VPN tunnels without user passwords.\n\n## Exploit Status: ACTIVE\n\n## Technical Details\n\n- **CWE ID**: CWE-287\n- **Attack Vector**: Network (AV:N)\n- **CVSS Severity**: 9.3 (Critical)\n- **EPSS Score**: 0.00010 (Percentile: 1.23%)\n- **Exploit Status**: Active exploitation in-the-wild\n- **CISA KEV Status**: Listed (June 8, 2026)\n- **Primary Threat Actor**: Qilin Ransomware Affiliates\n\n## Affected Systems\n\n- Check Point Quantum Security Gateways\n- Check Point Maestro Orchestrators\n- Check Point Security Groups\n- Check Point Spark Firewalls\n- **Quantum Security Gateway / Maestro Orchestrator**: <= R82.10 Take 19 (Fixed in: `R82.10 Take 19 with Hotfix`)\n- **Quantum Security Gateway / Maestro Orchestrator**: <= R82 Take 103 (Fixed in: `R82 Take 103 with Hotfix`)\n- **Quantum Security Gateway / Maestro Orchestrator**: <= R81.20 Take 141 (Fixed in: `R81.20 Take 141 with Hotfix`)\n- **Spark Firewalls (Gaia Embedded)**: R82.00.X (Fixed in: `R82.00.10 Build 998002216`)\n- **Spark Firewalls (Gaia Embedded)**: R81.10.X (Fixed in: `R81.10.17 Build 996004901`)\n\n## Mitigation\n\n- Disable support for legacy Remote Access clients\n- Restrict connections to the IKEv2 protocol only\n- Enforce mandatory machine certificate authentication\n\n**Remediation Steps:**\n1. Open SmartConsole and navigate to Security Gateway properties -> VPN Clients -> Authentication.\n2. Uncheck 'Allow older clients to connect to this gateway' and install the policy.\n3. For IKEv2-only restriction: Open Global Properties -> Remote Access -> VPN Authentication, and check 'IKEv2 only'.\n4. Deploy vendor-supplied hotfixes (R82.10 Take 19, R82 Take 103, or R81.20 Take 141) as soon as possible.\n\n## References\n\n- [Check Point Support Portal Advisory (sk185033)](https://support.checkpoint.com/results/sk/sk185033)\n- [Check Point Official Security Blog Post](https://blog.checkpoint.com/security/check-point-releases-important-hotfix-for-vulnerabilities-in-deprecated-ikev1-vpn-protocol/)\n- [CISA Known Exploited Vulnerabilities Catalog Search](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-50751)\n- [CVE.org Authority Record](https://www.cve.org/CVERecord?id=CVE-2026-50751)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-50751) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-09T04:41:47.000000Z"}