CVE-2026-50751

CRITICAL KEV RANSOMWARE

Check Point Quantum/Spark Gateways - Unauthenticated VPN Authentication Bypass

Title source: manual
STIX 2.1

Exploitation Summary

CVE-2026-50751 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added June 8, 2026, with confirmed use in ransomware campaigns. EIP tracks 6 public exploits from researchers including watchtowrlabs, fernstedt, fevar54.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-50751, a Check Point Remote Access VPN IKEv1 certificate-authentication bypass. The PoC demonstrates how an attacker can authenticate as a provisioned user without a valid certificate, private key, or password by exploiting a vulnerability in the iked service that skips certificate signature verification.

Description

A logic flow weakness in Remote Access and Mobile Access certificate validation in deprecated IKEv1 key exchange allows an unauthenticated remote attacker to bypass user authentication and establish a remote access VPN connection without a valid user password.

Exploits (6)

nomisec WORKING POC 1 stars
by watchtowrlabs · remote
https://github.com/watchtowrlabs/watchTowr-vs-Check-Point-CVE-2026-50751

This repository contains a functional exploit for CVE-2026-50751, a Check Point Remote Access VPN IKEv1 certificate-authentication bypass. The PoC demonstrates how an attacker can authenticate as a provisioned user without a valid certificate, private key, or password by exploiting a vulnerability in the iked service that skips certificate signature verification.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Check Point Remote Access VPN (IKEv1)
No auth needed
Prerequisites: Valid Remote-Access username · Gateway configured for IKEv1 and certificate-based authentication
devstral-2 · analyzed Jun 12, 2026 Full analysis →
github SCANNER
by fernstedt · pythonpoc
https://github.com/fernstedt/CVE-2026-50751

This repository contains a multi-threaded scanner for CVE-2026-50751, which detects if IKEv1 is enabled on Check Point Quantum Security Gateways. The tool sends minimal IKEv1 probes to target systems and checks for responses, but does not exploit the vulnerability.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Check Point Quantum Security Gateways with IKEv1 enabled
No auth needed
Prerequisites: Network access to target systems · IKEv1 enabled on target systems
devstral-2 · analyzed Jun 10, 2026 Full analysis →
github WORKING POC
by fevar54 · pythonpoc
https://github.com/fevar54/CVE-2026-50751---Check-Point-IKEv1-Authentication-Bypass-Exploit

This repository contains a functional Python exploit for CVE-2026-50751, which bypasses authentication in Check Point VPN gateways via a logic flaw in IKEv1 certificate validation. The exploit demonstrates the full attack chain from SA negotiation to VPN tunnel establishment.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Check Point Remote Access VPN (R80.40 - R82.10 with IKEv1 enabled)
No auth needed
Prerequisites: IKEv1 enabled on target · network access to UDP port 500
devstral-2 · analyzed Jun 10, 2026 Full analysis →
github WORKING POC
by WadesWeaponShed · shellpoc
https://github.com/WadesWeaponShed/CVE-2026-50751-Mitigation-Scripts

This repository contains functional mitigation scripts for CVE-2026-50751, targeting Check Point VPN gateways. The scripts disable legacy client support and enforce IKEv2-only encryption to mitigate the vulnerability.

Classification
Working Poc 90%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Check Point VPN gateways (MDS/SMS environments)
Auth required
Prerequisites: Check Point Management API access · Administrative privileges · mgmt_cli tool availability
devstral-2 · analyzed Jun 08, 2026 Full analysis →
github SCANNER
by 0xBlackash · pythonpoc
https://github.com/0xBlackash/CVE-2026-50751

The repository contains a Python script that checks for the presence of IKEv1 on Check Point VPN gateways, which could indicate potential vulnerability to CVE-2026-50751. It does not exploit the vulnerability but scans for its presence.

Classification
Scanner 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Check Point Quantum Security Gateway with IKEv1 Remote Access VPN
No auth needed
Prerequisites: Network access to the target VPN gateway · IKEv1 protocol enabled on the target
devstral-2 · analyzed Jun 08, 2026 Full analysis →
vulncheck_xdb TROJAN
remote
https://github.com/hlkysipv/CVE-2026-50751-Check-Point-IKEv1-Authentication-Bypass

The repository contains a functional IKEv1 authentication bypass exploit for Check Point gateways, but the cryptography module includes obfuscated malicious code that downloads and executes payloads from external URLs, indicating a trojanized exploit.

Classification
Trojan 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Check Point gateways R80.20+ with IKEv1 Remote Access enabled
No auth needed
Prerequisites: IKEv1 Remote Access enabled · Gateway accepts pre-shared key / certificate-based IKEv1 handshakes
devstral-2 · analyzed Jun 12, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 9.3
EPSS 0.1184
EPSS Percentile 93.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2026-06-08
VulnCheck KEV 2026-06-08
ENISA EUVD EUVD-2026-35047
Ransomware Use Confirmed
CWE
CWE-287
Status published
Products (4)
checkpoint/gaia_embedded r81.10.17 (6 CPE variants)
checkpoint/gaia_embedded r82.00.10 (7 CPE variants)
checkpoint/gaia_embedded r80.20.00 - r81.10.17
checkpoint/gaia_os r81.20 (36 CPE variants)
Published Jun 08, 2026
KEV Added Jun 08, 2026
Tracked Since Jun 08, 2026