SOC Incident Toolkit
Back to Campaigns
Silent Keys: Qilin Ransomware Exploits Check Point IKEv1 VPN Zero-Day (CVE-2026-50751)

Silent Keys: Qilin Ransomware Exploits Check Point IKEv1 VPN Zero-Day (CVE-2026-50751)

CVE-2026-50751CVE-2026-50752Check Point VPNIKEv1Authentication BypassQilin RansomwareZero-DayRemote Access VPNMobile AccessSpark FirewallCertificate ForgeryRaaSCISA KEV

CVE 2026 50751 is a critical authentication bypass vulnerability (CVSS 9.3, CWE 287) in Check Point Remote Access VPN and Mobile Access deployments configured to use the deprecated IKEv1 key exchange protocol. A logic flaw in the certificate validation process allows a remote unauthenticated attacker to forge a valid authentication cookie encrypted with the target gateway's publicly retrievable TLS certificate and submit it to the VPN login endpoint, establishing a full VPN session without providing any credentials.

Indicators of Compromise

IPv4 (9)

162.33.177.10138.54.107.167144.208.127.15538.60.157.139209.182.225.13638.54.88.20145.76.26.4266.42.99.20045.77.149.152

Notes

<div class="content-body"><span class="content-title">CONCLUSION</span><p class="content-description">CVE-2026-50751 is an actively weaponized zero-day that grants full unauthenticated VPN access to any <a href="https://blog.checkpoint.com/security/check-point-releases-important-hotfix-for-vulnerabilities-in-deprecated-ikev1-vpn-protocol/">Check Point </a>gateway still running the deprecated IKEv1 key exchange protocol. The core flaw—a certificate shared between the IKEv1 authentication component and the HTTPS portal—makes the gateway's public key trivially retrievable, enabling attackers to forge valid session cookies with no prior access or credentials. The ~32-day zero-day window before public disclosure allowed a financially motivated Qilin ransomware affiliate to compromise organizations across multiple geographies, using geographically correlated VPS infrastructure and Rclone for data exfiltration prior to encryption. A second related vulnerability, CVE-2026-50752 (CVSS 7.4), was identified during the investigation and enables man-in-the-middle attacks on site-to-site VPN tunnels under the same IKEv1 conditions; no in-the-wild exploitation of CVE-2026-50752 has been confirmed.</p><p class="content-description">SOCRadar <a href="https://socradar.io/free-tools/ioc-radar">IOC Radar</a> continuously monitors indicators associated with this exploitation campaign. The Cyber Threat Intelligence module tracks campaign evolution and threat actor profiling, including Qilin ransomware affiliate activity, in real time. Attack Surface Management enables customers to identify internet-exposed Check Point gateway instances within their digital footprint that may still accept IKEv1 connections. Dark Web Monitoring tracks underground forums and marketplace activity for unauthorized VPN access listings related to compromised Check Point deployments.</p></div>

Mitigation

<div> <table> <thead> <tr> <th>Tactic</th> <th>Technique</th> <th>ID</th> <th>Reference</th> </tr> </thead> <tbody> <tr> <td>Initial Access</td> <td>Exploit Public-Facing Application</td> <td>T1190</td> <td><a href="https://attack.mitre.org/techniques/T1190/">T1190</a></td> </tr> <tr> <td>Initial Access</td> <td>External Remote Services</td> <td>T1133</td> <td><a href="https://attack.mitre.org/techniques/T1133/">T1133</a></td> </tr> <tr> <td>Defense Evasion</td> <td>Use Alternate Authentication Material: Web Session Cookie</td> <td>T1550/004</td> <td><a href="https://attack.mitre.org/techniques/T1550/004/">T1550/004</a></td> </tr> <tr> <td>Defense Evasion Lateral Movement</td> <td>Valid Accounts</td> <td>T1078</td> <td><a href="https://attack.mitre.org/techniques/T1078/">T1078</a></td> </tr> <tr> <td>Command &amp; Control</td> <td>Application Layer Protocol</td> <td>T1071</td> <td><a href="https://attack.mitre.org/techniques/T1071/">T1071</a></td> </tr> <tr> <td>Exfiltration</td> <td>Exfiltration Over Web Service</td> <td>T1567</td> <td><a href="https://attack.mitre.org/techniques/T1567/">T1567</a></td> </tr> <tr> <td>Impact</td> <td>Data Encrypted for Impact</td> <td>T1486</td> <td><a href="https://attack.mitre.org/techniques/T1567/">T1486</a></td> </tr> <tr> <td>Resource Development</td> <td>Acquire Infrastructure: Virtual Private Server</td> <td>T1583/003</td> <td><a href="https://attack.mitre.org/techniques/T1583/003/">T1583/003</a></td> </tr> </tbody> </table> </div>