// Blog / News

A Check Point VPN flaw is being used by ransomware gangs: patch now

Cybersecurity 5 min read intrasec

If your business connects staff to the office or a server through a Check Point VPN or firewall, this one needs your attention today. Attackers, including a ransomware crew, have been quietly exploiting a flaw that lets them slip past the login entirely, and the cyber agencies have flagged it as urgent.

What's going on

A critical flaw (CVE-2026-50751, rated 9.3 out of 10) lets an unauthenticated attacker establish a VPN connection without valid credentials on Check Point Remote Access VPN, Mobile Access (SSL VPN), and Spark firewalls that use older IKEv1 configurations accepting legacy clients. In plain terms: the device meant to keep outsiders out can be walked straight past. Active exploitation goes back to about May 7, picked up in early June, and on June 8 the US cyber agency CISA added it to its Known Exploited Vulnerabilities list and gave federal agencies until June 11 to patch. At least one intrusion is tied to an affiliate of the Qilin ransomware operation. So far it's limited, a few dozen organizations worldwide, but an unauthenticated VPN bypass plus ransomware plus an emergency directive is not a combination to sit on.

Why a small business should care

  • Spark is Check Point's small-business firewall line. This isn't only an enterprise problem; the affected products include the kind of gear that sits in small offices.
  • An unauthenticated bypass needs no password and no phished employee. If the box is exposed to the internet and unpatched, the attacker can get in without tricking anyone.
  • Ransomware crews are the ones using it. The goal here is encryption and extortion, not idle curiosity.
  • It's the same story as the Palo Alto and SonicWall attacks. Internet-facing VPN and firewall appliances are now a favourite target across vendors; the brand matters less than whether yours is patched, behind MFA, and watched.

What to do

If you run Check Point: apply the emergency hotfix now, or have your provider do it today. If you genuinely can't patch immediately, follow Check Point's interim steps, disable legacy (IKEv1) client support, enforce IKEv2 with machine certificates, and turn on intrusion prevention with the latest signatures, and check for signs of misuse like unexpected VPN sessions or new accounts. Treat an exposed, unpatched device as potentially already touched.

If you don't run Check Point, take the hint: make sure whatever firewall or VPN you do run is on a supported version, patched promptly, sitting behind multi-factor authentication, and actually monitored. The patch-management basics are exactly this, applied on a schedule.

Sources:Rapid7, Critical Check Point VPN zero-day exploited in the wild (CVE-2026-50751)BleepingComputer, CISA orders feds to patch Check Point flaw exploited by ransomware gangs

Not sure if your firewall or VPN is patched and watched?

Talk to us

Related

News Cybersecurity

Palo Alto and SonicWall VPNs are under active attack

Attackers are exploiting both vendors' VPN appliances. Why your firewall is now the front door, and what to do.

Read article →
Guide Cybersecurity

Patch management for a small business

The simple, repeatable system that keeps internet-facing gear patched first, without a security team.

Read article →
Service

Managed Security

We keep your firewall and VPN patched, monitored, and configured safely, so an emergency fix is on us.

Learn more →