Check Point says VPN attacks caused by Qilin ransomware group — who had a month's head start on them

News
By published

A month-old VPN bug was finally fixed

Laptop with warning symbols over the keyboard
(Image credit: Shutterstock)
  • Check Point patches critical VPN auth‑bypass flaw (CVE‑2026‑50751) used in ransomware attacks
  • Zero‑day exploited since early May, with Qilin deploying ransomware in at least one case
  • Customers urged to apply fixes and mitigations immediately

Check Point has declared it fixed a vulnerability in its VPN products being used in ransomware attacks against dozens of organizations worldwide.

In a security advisory published, the company said it addressed an authentication bypass vulnerability that allowed remote threat actors to establish a remote access VPN connection without a valid user password.

The bug is tracked as CVE-2026-50751 and was given a severity score of 9.3/10 (critical).

Latest Videos From

Applying the fix

Check Point's VP of research, Lotem Finkelstein, noted the attacks leveraging this bug started on May 7, 2026, more than a month ago. In early June, the attacks picked up in such volume that it drew the attention of Check Point, which realized on June 4 that there was an actively exploited zero-day.

However, Finkelstein tried to frame the attacks as relatively low volume: “We have observed indications that exploitation has been limited to a relatively small number of targeted organizations (several dozen globally), primarily over the past few days,” he said, adding that in at least one case, the compromise was used to deploy Qilin ransomware.

CVE-2026-50751 is a bug that affects Mobile Access/SSL VPNs, Remote Access VPNs, and Spark Firewalls configured to use the deprecated IKEv1 key exchange protocol.

Check Point now urged its customers to apply the provided fixes, as well as to deploy mitigations and other hardening methods as soon as possible. A full list of indicators of compromise (IoC) can also be found on this link.

The company did not discuss who the victims were, or what their industries are, but from previous reports we know that Qilin is a major player often targeting critical infrastructure providers. For example, in February 2026, it added the Transport Workers Union of America (TWU) Local 100 chapter to its data leak site, saying it broke into the organization and already leaked everything it stole onto the dark web.

Via The Register

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.