DMZ//THREAT INTEL
FEED ACTIVELAST SYNC: 06:13:27ZSOURCES: 14CRITICAL: 30
⚠ ACTIVE ALERTS
@FalconFeedsio CRITICAL — 🚨 Ransomware Alert: The Gentlemen RaaS group continues active DLS postings. Now at 478… /// @DarkWebInformer CRITICAL — 🚨 ServiceNow discloses June 5 security update tied to anomalous activity — KB3067321.… /// @MsftSecIntel CRITICAL — MSTIC analysis of The Gentlemen ransomware (tracked internally): self-propagating… /// @GossiTheDog CRITICAL — ServiceNow KB3067321 situation is worse than the vendor comms suggest. Advisory was gated… /// @AlvieriD CRITICAL — The '340M OnlyFans' listing on the leak forum is a compiled corpus — seller confirmed to…
30Critical Threats
15Active CVEs
1IOCs Tracked
14New Advisories
INTEL FEED/ARCHIVE/CVE
DMZ INTEL DESK//FILED: 2026-06-12//20:04Z
CRITICAL#cve

Qilin Affiliate Exploiting Check Point VPN CVE-2026-50751 (CVSS 9.3) IKEv1 Auth Bypass as Zero-Day Since May 7 — CISA KEV, Hotfix Available

Check Point disclosed CVE-2026-50751, a logic flaw in IKEv1 certificate validation that allows unauthenticated attackers to establish a VPN session without valid credentials, actively exploited since May 7 with exploitation surging in early June. A Qilin ransomware affiliate is confirmed responsible for at least one post-compromise incident, with observed post-exploitation using Rclone for data staging and the Tox protocol for C2; attacker infrastructure spans VPS providers Kaupo Cloud HK, Shock Hosting, and Vultr. CISA added the flaw to the KEV catalog on June 8 and ordered federal agencies to patch by June 11; defenders should audit VPN logs from May 7 onward and immediately disable IKEv1 or apply the available hotfix.

CISA added the flaw to the KEV catalog on June 8 and ordered federal agencies to patch by June 11; defenders should audit VPN logs from May 7 onward and immediately disable IKEv1 or apply the available hotfix.

This intelligence brief has been compiled from open-source reporting and corroborated across multiple threat intelligence sources. Defenders should treat the critical severity rating as a guide to prioritization within their environment.

For the latest indicators of compromise, formatted SIEM queries, and unredacted actor intelligence related to this brief, DMZ Operator subscribers receive automated IOC packages via email the moment new advisories are published.

FILED UNDER:
cve-2026-50751 · check-point-vpn · qilin · ikev1 · authentication-bypass · cisa-kev · rclone · zero-day · ransomware-initial-access
STAY AHEAD OF THREATS
Daily intel briefs and IOC packages — delivered to your inbox the moment a new advisory drops.
SUBSCRIBE — $29/MO →
SHARE BRIEF:✕ Post on Xin Share on LinkedIn

RELATED CVES

CVE
CVE-2026-50751
Check Point VPN IKEv1 Authentication Bypass Zero-Day
CVSS 9.3

RELATED ACTORS

ACTOR
UNNAMED AI ZERO-DAY CRIMINAL CLUSTER
CRIMINAL
ACTOR
Unattributed AI-Assisted Mass Exploitation Actor
CRIMINAL

MORE FROM ARCHIVE

# CVE
2026-06-13
Check Point Discloses Three-CVE RCE Chain in LangGraph Affecting 46M+ Monthly Downloads; SQL Injection to Unsafe Deserialization Kill Chain
# CVE
2026-06-11
CVE-2026-44963 (CVSS 9.4): Any Domain User Can RCE Veeam Backup & Replication 12.x — Ransomware Weaponization Expected Imminently
# CVE
2026-06-09
CVE-2026-23111: Linux Kernel nf_tables Use-After-Free Enables Unprivileged Root and Container Escape — Full Exploit Public via Exodus Intelligence
# CVE
2026-06-09
CVE-2026-28318: CISA KEV-Listed SolarWinds Serv-U Unauthenticated DoS Actively Exploited — 12,000+ Internet-Exposed Instances, FCEB Deadline June 19