Check Point says VPN attacks caused by Qilin ransomware group — who had a month's head start on them

In a security advisory published, the company said it addressed an authentication bypass vulnerability that allowed remote threat actors to establish a remote access VPN connection without a valid user password.

The bug is tracked as CVE-2026-50751 and was given a severity score of 9.3/10 (critical).

Applying the fix

Check Point's VP of research, Lotem Finkelstein, noted the attacks leveraging this bug started on May 7, 2026, more than a month ago. In early June, the attacks picked up in such volume that it drew the attention of Check Point, which realized on June 4 that there was an actively exploited zero-day.

However, Finkelstein tried to frame the attacks as relatively low volume: “We have observed indications that exploitation has been limited to a relatively small number of targeted organizations (several dozen globally), primarily over the past few days,” he said, adding that in at least one case, the compromise was used to deploy Qilin ransomware.

CVE-2026-50751 is a bug that affects Mobile Access/SSL VPNs, Remote Access VPNs, and Spark Firewalls configured to use the deprecated IKEv1 key exchange protocol.

Check Point now urged its customers to apply the provided fixes, as well as to deploy mitigations and other hardening methods as soon as possible. A full list of indicators of compromise (IoC) can also be found on this link.

The company did not discuss who the victims were, or what their industries are, but from previous reports we know that Qilin is a major player often targeting critical infrastructure providers. For example, in February 2026, it added the Transport Workers Union of America (TWU) Local 100 chapter to its data leak site, saying it broke into the organization and already leaked everything it stole onto the dark web.

Via The Register