An improper authentication vulnerability in Check Point Security Gateway’s IKEv1 key exchange, tracked as CVE-2026-50751, allows an unauthenticated remote attacker to bypass user authentication and establish a remote access VPN connection without valid credentials. CISA added this vulnerability to the Known Exploited Vulnerabilities catalog on June 8, 2026 with a federal agency remediation deadline of June 11, 2026 — just three days from the KEV addition. This follows the pattern of the PAN-OS GlobalProtect auth bypass (CVE-2026-0257) covered last week — perimeter VPN gateway authentication bypass is among the most dangerous vulnerability classes for enterprise security.
What Is the Vulnerability?
CVE-2026-50751 is an improper authentication vulnerability in Check Point Security Gateway’s IKEv1 (Internet Key Exchange version 1) key exchange mechanism. IKE is the protocol used to establish IPsec VPN tunnels — it negotiates cryptographic keys and authenticates both ends of the VPN connection. The vulnerability allows an attacker to bypass the user authentication step during IKEv1 negotiation, establishing a VPN tunnel to the internal network without providing valid user credentials.
Check Point Security Gateway is deployed as the primary perimeter firewall and VPN appliance at thousands of organisations globally. It handles site-to-site VPN connections between offices and remote access VPN for employees, contractors, and third parties. A compromised VPN gateway gives an attacker network-level access behind the perimeter — they can reach internal systems, perform reconnaissance, and pivot laterally within the network. This is the second major perimeter VPN authentication bypass to hit CISA KEV in two weeks, following PAN-OS CVE-2026-0257, signalling a pattern of attackers specifically targeting VPN gateway authentication mechanisms.
- CVSS v3.1 Score: 9.8 (Critical — estimated)
- Attack Vector: Network — no authentication required
- CISA KEV: Added June 8, 2026 — deadline June 11, 2026 (72-hour window)
Which Versions Are Affected?
- Check Point Security Gateway — affected versions using IKEv1 for VPN. Consult the Check Point advisory for specific affected versions and fixed releases.
Is It Being Exploited in the Wild?
CISA KEV addition confirms active exploitation. The 72-hour remediation window — three days from KEV addition to deadline — signals extreme urgency. This is the same aggressive timeline used for the PAN-OS CVE-2026-0257, which was subsequently confirmed to be under active exploitation by multiple threat actors.
What Is the Fix?
Check Point has released a security update. Apply the patch immediately through the Check Point update mechanism. If IKEv1 is not operationally required, disable it in favour of IKEv2 — this eliminates the attack surface entirely, even before patching. After patching, audit VPN connection logs for IKEv1 sessions from unrecognised IP addresses or without corresponding valid user authentication records.
Recommendations
Patch today. 72-hour CISA KEV deadline on a perimeter VPN authentication bypass is an emergency-patch scenario with no room for delay.
Disable IKEv1 if not needed. IKEv2 is the current standard and is not affected by this vulnerability. If your VPN deployment only requires IKEv2, disabling IKEv1 eliminates the attack surface.
Audit VPN logs. Review Check Point logs for VPN sessions established via IKEv1 without corresponding user authentication events. Look for connections from unfamiliar IP ranges, hosting provider networks, or geographic regions where your organisation does not operate.
Hunt for signs of lateral movement. If your Check Point gateway was unpatched and reachable during the exploitation window, assume the internal network may have been accessed. Review internal network logs for unusual connection patterns originating from VPN IP pools.
References
This advisory was first covered in the broader Vulnerability Intelligence Report — June 9, 2026.
