ADVISORY SUMMARY
CISA added CVE-2026-50751 to the KEV catalog on June 8, 2026, confirming active exploitation of a critical improper authentication vulnerability in Check Point Security Gateway's IKEv1 key exchange. The flaw allows an unauthenticated remote attacker to bypass user authentication and establish a remote access VPN connection without valid credentials. The Dutch NCSC warned of imminent large-scale abuse ahead of the CISA KEV remediation deadline, and threat modeling reports indicated KEV deadline expiry was imminent on June 13.
AFFECTED SYSTEMS
MITIGATION GUIDANCE
Apply Check Point patches per vendor instructions immediately. Disable IKEv1 if not operationally required and migrate to IKEv2. Enforce MFA for all remote access VPN user accounts. Restrict VPN gateway management interfaces to trusted IP ranges. Federal agencies must remediate per BOD 22-01 requirements.
DETECTION SIGNATURES
Monitor VPN authentication logs for successful IKEv1 sessions originating from unexpected source IPs or outside business hours. Alert on VPN connections established without corresponding MFA/certificate events. Review firewall logs for IKEv1 negotiation attempts from scanning infrastructure. Check Point has published indicators in its security advisory — correlate against SIEM for anomalous tunnel establishment.
REFERENCES
- → https://www.cisa.gov/news-events/alerts/2026/06/08/cisa-adds-two-known-exploited-vulnerabilities-catalog
- → https://nvd.nist.gov/vuln/detail/CVE-2026-50751