Campaigns
Silent Keys: Qilin Ransomware Exploits Check Point IKEv1 VPN Zero-Day (CVE-2026-50751)

Silent Keys: Qilin Ransomware Exploits Check Point IKEv1 VPN Zero-Day (CVE-2026-50751)

CVE-2026-50751CVE-2026-50752Check Point VPNIKEv1Authentication BypassQilin RansomwareZero-DayRemote Access VPNMobile AccessSpark FirewallCertificate ForgeryRaaSCISA KEV
CVE 2026 50751 is a critical authentication bypass vulnerability (CVSS 9.3, CWE 287) in Check Point Remote Access VPN and Mobile Access deployments configured to use the deprecated IKEv1 key exchange protocol. A logic flaw in the certificate validation process allows a remote unauthenticated attacker to forge a valid authentication cookie encrypted with the target gateway's publicly retrievable TLS certificate and submit it to the VPN login endpoint, establishing a full VPN session without providing any credentials.

Indicators of Compromise

No domains found for this campaign

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

Tactic Technique ID Analytic description

Initial Access

TA0001

Exploit Public-Facing Application T1190 ↗ Monitor VPN authentication logs for successful IKEv1 sessions originating from unexpected IP ranges; flag sessions authenticated without a corresponding machine certificate.

Defense Evasion

TA0005

Use Alternate Auth Material: Web Session Cookie T1550/004 ↗ Detect VPN sessions initiated via forged authentication override cookies; alert on portal-userauthcookie submissions from IP addresses not matching known user device inventory.

Command & Control

TA0011

Application Layer Protocol T1071 ↗ Hunt for Tox protocol traffic patterns (peer-to-peer encrypted messaging) on internal hosts; flag unusual encrypted UDP traffic to Tox bootstrap nodes.

Exfiltration

TA0010

Exfiltration Over Web Service T1567 ↗ Monitor for large outbound data transfers consistent with Rclone-based cloud sync activity on hosts with recent VPN access; flag unusual volume patterns toward cloud storage endpoints.

Impact

TA0040

REMEDIATION STEPS

REMEDIATION STEPS

1. Apply the official Check Point hotfix for CVE-2026-50751 immediately on all affected Security Gateways (sk185033). Do not wait for a scheduled patch cycle.

2. Apply the hotfix for CVE-2026-50752 (sk185035) simultaneously to mitigate the related man-in-the-middle risk.

3. Disable IKEv1 key exchange. Configure Global Properties for Remote Access VPN authentication to IKEv2 only.

4. Remove support for legacy Remote Access clients that accept connections without a machine certificate.

5. Set Machine Certificate Authentication as mandatory for all VPN connection types.

6. Enable IPS on all affected gateways and download the latest vendor-published signatures.

7. Conduct forensic log audits from 07.05.2026 (earliest confirmed exploitation date) on all IKEv1-enabled gateways; audit for successful VPN authentications from the listed attacker IPs.

8. Block all 9 attacker IP addresses at perimeter controls, firewalls, and SIEM detection rules immediately.

9. Hunt for Rclone activity (large outbound cloud sync transfers) and Tox protocol traffic (encrypted UDP to Tox bootstrap nodes) on internal hosts with recent VPN access.

10. If compromise is confirmed, assume lateral movement may have occurred; audit all privileged account usage from the forensic window and engage incident response resources.

Observed Countries250

AD (11)
AE (304)
AF (815)
AG (351)
AI (450)
AL (557)
AM (820)
AO (772)
AQ (398)
AR (789)
AS (207)
AT (585)
AU (594)
AW (140)
AX (185)
AZ (207)
BA (787)
BB (298)
BD (672)
BE (607)
BF (690)
BG (520)
BH (39)
BI (2)
BJ (48)
BL (631)
BM (234)
BN (465)
BO (19)
BQ (6)
BR (8)
BS (170)
BT (626)
BV (618)
BW (400)
BY (330)
BZ (737)
CA (75)
CC (576)
CD (369)
CF (846)
CG (56)
CH (151)
CI (323)
CK (447)
CL (210)
CM (825)
CN (69)
CO (92)
CR (24)
CU (863)
CV (862)
CW (742)
CX (976)
CY (280)
CZ (453)
DE (423)
DJ (115)
DK (657)
DM (35)
DO (991)
DZ (711)
EC (931)
EE (570)
EG (309)
EH (587)
ER (508)
ES (844)
ET (710)
FI (11)
FJ (567)
FK (703)
FM (686)
FO (951)
FR (306)
GA (360)
GB (904)
GD (938)
GE (439)
GF (616)
GG (92)
GH (82)
GI (267)
GL (617)
GM (964)
GN (1)
GP (689)
GQ (389)
GR (476)
GS (48)
GT (871)
GU (694)
GW (647)
GY (211)
HK (650)
HM (112)
HN (73)
HR (516)
HT (59)
HU (854)
ID (401)
IE (277)
IL (496)
IM (256)
IN (523)
IO (703)
IQ (456)
IR (585)
IS (857)
IT (474)
JE (183)
JM (353)
JO (772)
JP (742)
KE (788)
KG (343)
KH (280)
KI (247)
KM (818)
KN (772)
KP (85)
KR (553)
KW (374)
KY (11)
KZ (698)
LA (186)
LB (279)
LC (638)
LI (886)
LK (734)
LR (781)
LS (601)
LT (799)
LU (944)
LV (54)
LY (658)
MA (822)
MC (580)
MD (22)
ME (990)
MF (613)
MG (622)
MH (789)
MK (885)
ML (346)
MM (820)
MN (708)
MO (855)
MP (976)
MQ (149)
MR (822)
MS (807)
MT (493)
MU (882)
MV (605)
MW (554)
MX (130)
MY (284)
MZ (648)
NA (322)
NC (722)
NE (757)
NF (809)
NG (902)
NI (114)
NL (656)
NO (513)
NP (307)
NR (949)
NU (585)
NZ (673)
OM (265)
PA (79)
PE (401)
PF (34)
PG (64)
PH (434)
PK (513)
PL (924)
PM (318)
PN (608)
PR (829)
PS (404)
PT (280)
PW (432)
PY (87)
QA (906)
RE (539)
RO (702)
RS (525)
RU (660)
RW (494)
SA (430)
SB (983)
SC (40)
SD (582)
SE (46)
SG (815)
SH (682)
SI (859)
SJ (472)
SK (98)
SL (465)
SM (822)
SN (378)
SO (545)
SR (940)
SS (110)
ST (517)
SV (72)
SX (470)
SY (287)
SZ (947)
TC (204)
TD (858)
TF (184)
TG (764)
TH (445)
TJ (36)
TK (690)
TL (883)
TM (191)
TN (896)
TO (38)
TR (645)
TT (798)
TV (921)
TW (47)
TZ (444)
UA (271)
UG (608)
UM (169)
US (19)
UY (806)
UZ (992)
VA (112)
VC (44)
VE (572)
VG (158)
VI (985)
VN (741)
VU (598)
WF (590)
WS (526)
XK (560)
YE (396)
YT (342)
ZA (536)
ZM (183)
ZW (601)