CISA has issued an emergency directive requiring U.S. federal agencies to secure Check Point Remote Access VPN, Mobile Access, and Spark firewall deployments following active exploitation of a critical zero-day vulnerability (CVE-2026-50751). Continue reading this Cybersecurity Threat Advisory to learn how to mitigate risk and protect your environment.
What is the threat?
CVE-2026-50751 is a critical authentication bypass vulnerability in Check Point Mobile Access VPN, Remote Access VPN, and Spark firewall products that allows unauthenticated remote attackers to establish VPN sessions. It originates from how the VPN gateway processes authentication and session initialization for certain access paths—particularly when legacy or deprecated protocols (notably IKEv1) or mixed authentication modes are enabled. Due to improper validation during session negotiation, specially crafted connection requests can cause the gateway to incorrectly treat a user as authenticated.
Exploitation is straightforward and highly impactful. An unauthenticated threat actor can send crafted VPN negotiation or SSL VPN requests to an exposed gateway, manipulating protocol-specific parameters and session identifiers to bypass credential checks. As a result, the gateway establishes a VPN session that grants attackers direct Layer 3 or Layer 7 access to internal resources—depending on configuration—without requiring stolen credentials or user interaction.
Following successful authentication bypass, the compromised VPN connection becomes a powerful foothold. Attackers can enumerate internal networks, access file shares and applications, and leverage trusted VPN connectivity to evade perimeter defenses.
Why is it noteworthy?
This vulnerability is particularly noteworthy because it is actively exploited by Qilin ransomware affiliates. In observed incidents, attackers used this access to rapidly stage tools, harvest credentials, and move laterally across the environment before deploying ransomware payloads.
Because the activity originates from a trusted VPN interface, it can appear as normal remote user traffic—significantly delaying detection and response. As edge devices that provide broad access to internal systems, VPN appliances are especially attractive targets for ransomware operators. The exploitation of deprecated protocols further highlights the risk posed by legacy configurations that remain enabled for compatibility. The issuance of a mandatory CISA directive underscores the severity and confirms that exploitation is already occurring at scale.
What is the exposure or risk?
Organizations running vulnerable Check Point VPN or firewall deployments face a high risk of complete network compromise. Successful exploitation allows attackers to bypass authentication controls and gain trusted internal access, often without triggering traditional detection mechanisms.
This level of access enables data theft, credential compromise, lateral movement, and ransomware deployment with minimal effort and high reliability. Internet-facing VPN gateways are particularly exposed, making this a critical threat for enterprises, service providers, and government agencies.
What are the recommendations?
Barracuda strongly recommends organizations take these additional steps to defend their machines:
- Apply available security patches.
- Disable deprecated VPN Protocols such as IKEv1 and any unused or legacy VPN access paths.
- Restrict VPN access to required IP ranges where possible.
- Monitor VPN logs for anomalous or unauthenticated VPN session creation and unusual access patterns.
- Rotate VPN credentials if exploitation is suspected.
- Limit VPN user access to only necessary network segments.
References
For more in-depth information about the recommendations, please visit the following links:
- https://support.checkpoint.com/results/sk/sk185035
- https://support.checkpoint.com/results/sk/sk185033
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
