CVE-2026-50751

CVE-2026-50751 is a critical-severity vulnerability in Checkpoint Gaia Os with a CVSS 3.x base score of 9.3. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2026-06-08). The underlying weakness is classified as CWE-287.

Key facts

Description

A logic flow weakness in Remote Access and Mobile Access certificate validation in deprecated IKEv1 key exchange allows an unauthenticated remote attacker to bypass user authentication and establish a remote access VPN connection without a valid user password.

Check Point IKEv1 Certificate Validation Bypass Enables Unauthenticated VPN Access

AI-generated analysis based on the vulnerability data on this page.

Summary

CVE-2026-50751 is a critical authentication bypass in Check Point's Gaia OS and Gaia Embedded products. A weakness in the certificate validation logic during the deprecated IKEv1 key exchange allows an unauthenticated remote attacker to bypass user authentication entirely and establish a Remote Access VPN connection without supplying a valid password. With a CVSS v3 score of 9.3 and active inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog, this flaw demands immediate attention from any organization running affected Check Point VPN gateways.

Background

Check Point Security Gateways running Gaia OS provide Remote Access VPN capabilities for mobile workers and remote offices. The underlying key exchange can use either IKEv1 or IKEv2. While IKEv2 is the modern standard, IKEv1 remains enabled on many legacy configurations and is still supported in current releases for backward compatibility. The vulnerability resides in the certificate validation path during the IKEv1 Remote Access and Mobile Access handshake, not in the cryptographic primitives themselves. Because the flaw is in the authentication logic flow rather than a buffer overflow or memory corruption bug, traditional exploit mitigations such as ASLR or DEP do not prevent it.

Root Cause

The vulnerability is classified as CWE-287: Improper Authentication. During the IKEv1 certificate validation phase, a logic flow error allows the system to accept a certificate chain that does not satisfy all required authentication constraints. The specific implementation weakness means that an attacker can present a certificate that passes the initial certificate validation step but fails to properly bind to a valid user identity, yet the gateway still permits the VPN tunnel to come up. This bypasses the user-password check that should normally follow the certificate exchange, effectively allowing any attacker who can reach the VPN portal to authenticate as a valid remote user without knowing the corresponding password.

Impact

The CVSS v3.1 vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N, yielding a base score of 9.3 (Critical).

  • Attack Vector (AV): Network — The vulnerability is exploitable remotely over the internet without prior access to the internal network.
  • Attack Complexity (AC): Low — No special conditions or race windows are required; the attacker simply needs to initiate an IKEv1 handshake with a crafted certificate.
  • Privileges Required (PR): None — No user account or credentials are needed.
  • User Interaction (UI): None — The attack is fully automated and does not require a victim to click a link or open a file.
  • Scope (S): Changed — The vulnerable component (the VPN gateway) can affect resources beyond its own security boundary, granting the attacker access to the internal network.
  • Confidentiality (C): High — Once the VPN tunnel is established, the attacker can access internal systems, files, and services as if they were a legitimate remote user.
  • Integrity (I): Low — The attacker can potentially modify data within the scope of the VPN tunnel, though this is limited by the remote user's normal permissions.
  • Availability (A): None — The vulnerability does not directly cause denial of service.

The combination of network accessibility, low complexity, and no required privileges makes this an extremely high-risk vulnerability. Because Check Point VPN gateways are often internet-facing, the attack surface is broad.

Exploitation Walkthrough

Ethics Notice: This section describes the attack conceptually for defensive purposes only. Do not attempt to exploit this vulnerability against systems you do not own or have explicit permission to test. Unauthorized access to computer networks is illegal in most jurisdictions.

An attacker interested in exploiting this vulnerability would perform the following steps at a high level:

  1. Reconnaissance — Identify internet-facing Check Point VPN gateways. Common indicators include exposed IKEv1 ports (UDP 500/4500) or the Remote Access VPN portal on TCP 443.
  2. Certificate Preparation — Obtain or generate an X.509 certificate that the target gateway will accept. Because the bug is in the binding between certificate validation and user identity lookup, the attacker does not need a certificate issued by the organization's internal PKI. The key requirement is that the certificate passes the gateway's certificate validation routine without triggering the user-password check.
  3. IKEv1 Handshake — Initiate a standard IKEv1 Remote Access connection using the crafted certificate. The attacker sends the certificate during the authentication phase.
  4. Authentication Bypass — Due to the logic flow weakness, the gateway accepts the certificate as valid but fails to enforce the subsequent user-password verification. The VPN tunnel is established, granting the attacker an internal network IP address and routing table.
  5. Post-Exploitation — With the tunnel active, the attacker can now scan internal hosts, pivot to sensitive systems, and exfiltrate data.

Defenders should treat any successful IKEv1 connection from an unknown or unexpected certificate as a potential indicator of compromise.

Affected and Patched Versions

The following Check Point products and versions are affected, based on the published CPE data:

  • Check Point Gaia OS — R81.20 (multiple takes including take_8 through take_141), R82 (multiple takes through take_103), R82.10 (take_6, take_19)
  • Check Point Gaia Embedded — R81.10.17 (builds 996004508 through 996004892), R82.00.10 (builds 998001559 through 998002203)
  • Check Point Quantum Spark Appliances — 1530, 1535, 1550, 1555, 1570, 1570R, 1575, 1575R, 1590, 1595R, 1600, 1800, 1900, 2000, 2530, 2550, 2560, 2570, 2580, 2590

Check Point has released hotfixes for this vulnerability. Administrators should consult Check Point support article SK185033 for the exact patched takes and build numbers. As a general rule, the vulnerability is fixed in the latest Jumbo Hotfix Accumulators for the affected releases.

Remediation

  1. Apply the Hotfix — Install the recommended hotfix from Check Point Support Center article SK185033. This is the primary remediation.
  2. Upgrade — If possible, upgrade to the latest Jumbo Hotfix Accumulator or a major release that includes the fix. Check Point's blog post on this vulnerability provides guidance on the minimum recommended versions.
  3. Disable IKEv1 — If your organization does not require IKEv1 for remote access, disable it entirely and migrate to IKEv2. IKEv1 is a deprecated protocol and should not be used for new deployments. This eliminates the attack surface entirely.
  4. Restrict VPN Access — Apply IP allowlisting to the VPN gateway if feasible, limiting the Remote Access portal to known corporate networks or trusted geographies. This does not fix the vulnerability but reduces exposure.
  5. Certificate Pinning — Ensure that only certificates issued by your internal PKI or a tightly controlled CA hierarchy are accepted for VPN authentication. Review certificate validation settings to confirm that user-to-certificate binding is enforced.

Detection

Security teams should monitor for the following indicators:

  • Unexpected VPN Sessions — Review Remote Access VPN logs for connections from unknown source IPs or unusual geographic locations. Cross-reference successful IKEv1 sessions with your IT asset management database.
  • Certificate Anomalies — Alert on IKEv1 authentication events where the presented certificate does not match the expected issuer or subject fields for your organization's PKI.
  • Network Telemetry — Monitor internal network traffic for lateral movement originating from VPN-assigned IP ranges. New connections to sensitive servers (Domain Controllers, file shares, databases) from VPN clients should be baselined and reviewed.
  • Endpoint Detection — If you have EDR agents on internal systems, look for suspicious process execution or credential access from VPN-sourced IP addresses.
  • SIEM Rules — Create a correlation rule that flags multiple failed IKEv1 handshake attempts followed by a successful connection from the same source IP, which may indicate certificate probing.

Assessment

This vulnerability is a textbook example of why deprecated protocols should not remain enabled on internet-facing infrastructure. With an EPSS score of 0.70099 and a percentile of 0.99298, the probability of active exploitation is extremely high. The fact that CISA added CVE-2026-50751 to the Known Exploited Vulnerabilities catalog on the same day it was published (2026-06-08) confirms that threat actors are already leveraging it in the wild. The EU Exploited Vulnerability Database also lists it as actively exploited since that date.

Key lessons:

  1. Deprecation without disablement is a liability. IKEv1 has been superseded by IKEv2 for years. Keeping the deprecated protocol enabled "just in case" created a critical attack surface that should have been removed during routine hardening.
  2. Certificate validation is not user authentication. The root cause is a failure to enforce the full authentication chain after certificate validation succeeds. Any certificate-based VPN deployment should be audited to ensure that certificate acceptance and user identity verification are tightly coupled and cannot be bypassed by logic errors.

Organizations running affected Check Point gateways should treat this as a patch-now event. The combination of trivial exploitability, network accessibility, and confirmed in-the-wild exploitation leaves no room for delay.

References

Frequently asked questions

What is CVE-2026-50751?
A logic flow weakness in Remote Access and Mobile Access certificate validation in deprecated IKEv1 key exchange allows an unauthenticated remote attacker to bypass user authentication and establish a remote access VPN connection without a valid user password.
How severe is CVE-2026-50751?
CVE-2026-50751 has a CVSS 3.x base score of 9.3, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity low, and availability none.
Is CVE-2026-50751 being actively exploited?
Yes. CVE-2026-50751 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2026-06-08, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2026-50751?
CVE-2026-50751 primarily affects Checkpoint Gaia Os. In total, 72 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2026-50751?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2026-50751 have an EU (EUVD) identifier?
Yes. CVE-2026-50751 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-35047. It is also flagged as exploited in the EUVD (since 2026-06-08).
When was CVE-2026-50751 published?
CVE-2026-50751 was published on 2026-06-08 and last updated on 2026-06-17.

References

Affected products (72)

More vulnerabilities in Checkpoint Gaia Os

All CVEs affecting Checkpoint Gaia Os →

Other CWE-287 (Improper Authentication) vulnerabilities

Browse all CWE-287 (Improper Authentication) vulnerabilities →