A ransomware crew spent a month logging into corporate VPNs without passwords, and the vendor only found out on June 4. The bug, CVE-2026-50751, affects Check Point Remote Access VPN deployments running the deprecated IKEv1 protocol. CISA has given US federal agencies until June 11 to patch.
The victims here are companies, not home users. But the root cause, an ancient protocol left switched on, is something every VPN user should care about.
What the vulnerability does
CVE-2026-50751 is an authentication bypass with a CVSS score of 9.3. In plain terms: a logic flaw in certificate validation lets a remote attacker establish a VPN session with no valid password at all. No phishing, no stolen credentials, no brute force. Just a crafted connection request against a gateway with IKEv1 enabled.
IKEv1 is the key exchange protocol from the late 1990s. Check Point deprecated it years ago, and their advisory is blunt about the fix: install the hotfix, and stop using IKEv1. The modern replacement, IKEv2, is not affected.
The exploitation timeline is the uncomfortable part. According to Help Net Security, the earliest observed attack dates to May 7. Check Point identified the malicious activity on June 4. That’s roughly a month of quiet access to a few dozen targeted organizations before anyone knew the door was open.
Who’s behind it
Check Point’s own research links the activity, with medium confidence, to an affiliate of the Qilin ransomware operation. BleepingComputer reported the post-exploitation toolkit: dedicated VPS infrastructure from hosters like Vultr and Shock Hosting, the open-source Rclone tool for data exfiltration, and Qilin ransomware as the payload.
Qilin has been one of the most active ransomware operations of the past two years, and its affiliates have a documented preference for VPN gateways and other edge devices as entry points. It makes sense. Why bother phishing employees when the company’s own remote access box will let you in without a password?
CISA added the flaw to its Known Exploited Vulnerabilities catalog with a three-day patch deadline for federal agencies, which is about as loud as that particular alarm bell gets.
Corporate VPN, consumer VPN: same word, different products
Every time a story like this breaks, someone declares that VPNs are broken and you should stop using them. That conflates two different things, and the distinction matters. We made the same point when Europol took down a criminal VPN service: the word VPN covers products that share almost nothing but the acronym.
A corporate remote access VPN is a door into a company network. It sits on the internet, accepts inbound connections, and its job is authentication: keeping the wrong people out. When it fails, attackers get inside a network full of valuable systems.
A consumer VPN is the opposite direction. You make an outbound connection to a provider’s server to encrypt your traffic on the way to the internet. There’s no corporate network behind it, and nothing for ransomware to encrypt. CVE-2026-50751 says nothing about the safety of NordVPN, Proton VPN, or any consumer service.
The real lesson: deprecated protocols are unexploded bombs
Here’s where the story does apply to you. The Check Point bug only bites deployments that still have IKEv1 enabled, a protocol that was deprecated ages ago and kept around for compatibility. Old protocol, left on by default or by laziness, turns into a critical hole years later. This pattern repeats constantly.
Consumer VPNs have their own version of this problem. PPTP, a protocol from 1995, is genuinely broken: its authentication can be cracked in under a day, and that’s been public knowledge since 2012. L2TP/IPSec is dated. Yet some providers still offer both, because removing features looks bad on a comparison chart.
Our advice hasn’t changed: use WireGuard or OpenVPN, and treat a provider still pushing PPTP as a red flag. Our WireGuard vs OpenVPN comparison covers which to pick and why. The protocol column in our comparison table exists exactly for this reason.
Want to compare all VPNs side by side? Check our full VPN comparison table with scores across 18 criteria.
Edge devices keep getting popped, and there’s a reason
Zoom out and this incident stops looking unusual. Corporate VPN gateways and other edge devices have been the favorite ransomware entry point for several years running. Ivanti Connect Secure had its zero-day wave in 2024. Fortinet appliances have produced a steady drip of exploited CVEs. Pulse Secure before that. Citrix before that.
The pattern has structural causes. These boxes face the internet by definition, so attackers can scan for them at will. They sit outside the protections that cover normal endpoints: no EDR agent, limited logging, and updates that require maintenance windows nobody wants to schedule. And they hold the keys to everything behind them, so one bug pays for months of scanning effort.
Security agencies have been saying this loudly. CISA’s Known Exploited Vulnerabilities catalog reads like a directory of VPN and firewall vendors, and the three-day patch deadline for this CVE reflects how routine these emergencies have become.
For the companies involved, the fix is process: patch edge devices like it’s an emergency every time, retire deprecated protocols on a schedule instead of waiting for the CVE, and watch authentication logs for sessions that shouldn’t exist. None of this is exotic advice. It just keeps not happening, which is why Qilin affiliates keep eating well.
What to do, depending on who you are
If you run or administer a Check Point Remote Access deployment: install the hotfix now, disable IKEv1 everywhere, and review VPN logs going back to early May for sessions you can’t explain. Check Point’s advisory and the Rapid7 analysis list the indicators of compromise.
If you’re a remote worker who uses a company VPN: nothing for you to patch, but don’t be surprised if IT forces a reconnect or pushes new client software this week. That’s the system working.
If you’re a consumer VPN user: check which protocol your app uses. If it’s WireGuard, NordLynx, or OpenVPN, you’re fine. If you’ve ever manually configured L2TP or PPTP because a tutorial from 2014 told you to, undo that today. A provider like NordVPN defaults to NordLynx, its WireGuard implementation, and doesn’t offer PPTP at all. That’s what good defaults look like.
The story’s likely epilogue is worth pre-writing: CVE-2026-50751 will join the KEV catalog’s long tail, patched estates will forget it, and some unpatched gateway will get a company ransomed by it months from now, because that is the lifecycle every entry in this genre follows. The deadline discipline CISA models (three days, no exceptions) is the only known cure, and it applies to home router firmware exactly as it does to federal estates.
This was a serious incident handled reasonably well once detected: fast hotfix, honest disclosure, clear attribution. The month of undetected exploitation is the part that should bother people, and it will happen again wherever deprecated protocols stay enabled. The takeaway for everyone, from Fortune 500 admins to someone picking their first VPN: the security of a VPN lives and dies in its protocols, and old ones don't age into harmlessness. They age into CVEs.
Sources: Check Point advisory | BleepingComputer on the Qilin link | Help Net Security analysis | Rapid7 technical breakdown