Check Point: VPN Zero-Day Exploited by Qilin Ransomware for a Month

LONDON, Monday, June 8, 2026 — Check Point Software disclosed a critical authentication bypass in its Remote Access VPN on Monday, confirming that attackers had exploited the zero-day for roughly a month before a patch existed. The flaw, tracked as CVE-2026-50751, carries a CVSS score of 9.3 and lets an unauthenticated remote attacker bypass password authentication entirely. Check Point said exploitation began on May 7, surged in early June, and has affected a few dozen organizations globally — at least one tied to the Qilin ransomware operation.

Key Takeaways

• CVE-2026-50751 carries a CVSS score of 9.3 and allows unauthenticated attackers to bypass password authentication via a logic error in certificate validation.
• Attacks began May 7, surged in early June, and have affected only "a few dozen" organizations worldwide, with at least one incident linked to Qilin ransomware.
• The flaw affects only deployments configured to use the deprecated IKEv1 key exchange protocol with gateways that accept legacy clients and do not require a machine certificate.
• A second vulnerability, CVE-2026-50752, affects certificate validation in deprecated IKEv1 and can enable man-in-the-middle attacks on site-to-site VPN connections.
• The disclosure lands as enterprise buyers accelerate consolidation onto platform vendors, with ServiceNow completing its $7.75 billion Armis acquisition to triple its security and risk market opportunity.

Context & Analysis

Check Point's VP of research Lotem Finkelstein said the company spotted suspicious activity and began investigating the zero-day on June 4, and that exploitation has been limited to several dozen targeted organizations globally, primarily over the past few days, with at least one case showing post-compromise activity associated with a Qilin ransomware affiliate. The Qilin operation is one of 2026's most prolific ransomware crews. Qilin surfaced in August 2022 as a Ransomware-as-a-Service operation under the "Agenda" name and has since claimed responsibility for nearly 400 victims, including Yangfeng, Nissan, Asahi, Lee Enterprises, Synnovis, and Australia's Court Services Victoria.

The Check Point disclosure fits a broader pattern. Google's Threat Intelligence Group documented last month how criminal and state-sponsored actors are scaling their use of previously unknown vulnerabilities, with VPN appliances and network edge devices consistently among the most targeted categories, while firewalls and VPNs typically do not provide sufficient telemetry to detect or stop these attacks. The same threat actor is suspected to be exploiting flaws across multiple vendors. Finkelstein said the ransomware group is also likely exploiting other VPN-related vulnerabilities in Palo Alto Networks, Fortinet, and F5 products.

According to Gartner's 2026 Hype Cycle for Emerging Technologies, Based on evaluation of 150+ vendor implementations and third-party assessments, Related: Palo Alto Networks Advances Cyber Security Platform Strategy in 2026

Related: Top 10 Cyber Security Companies by Market Cap to Watch in 2026

Competitive Landscape

Edge appliance vendors are caught between two pressures: zero-day exposure and platform consolidation. The Armis acquisition is expected to more than triple ServiceNow's market opportunity for security and risk solutions. Worldwide end-user spending on information security is projected to increase 12.5% in 2026 to $240 billion — capital that increasingly flows toward unified platforms rather than point appliances. Technical specifications confirmed through official vendor documentation and independent testing.

For deeper context, see our Cyber Security analysis: "XBOW $35M Series C Extension 2026: NVIDIA and Samsung Back Cybersecurity".

M&A activity confirms the pattern. Akamai agreed to acquire LayerX, the browser-based AI usage governance vendor, for approximately $205 million, with the deal expected to close in the third quarter of 2026. Torq, the agentic security operations company, announced on May 18 that it had acquired Jit, the AI context graph cybersecurity firm, to improve agentic investigations by the Torq AI SOC Platform with organization-specific contextual data. SentinelOne, meanwhile, is reorienting capital toward AI-native security. SentinelOne will cut about 240 employees, citing productivity gains from frontier AI models that have dramatically accelerated internal workflows, while redirecting savings into AI security, cloud, data and endpoint initiatives.

Additional coverage: Amadeus €1.2B IDEMIA Deal 2026: Travel Biometrics Power Play

Additional coverage: Top 10 Cyber Security Companies by Market Cap to Watch in 2026

Related: Gyver Raises €1.4M to Fix Europe's Electrician Shortage 2026

What It Means

For Enterprise Buyers

The IKEv1 prerequisite limits the blast radius, but the exposure window does not. Security teams running Check Point gateways should treat May 7 as the audit baseline. Check Point published a list of indicators of compromise, including attacker IPs, and recommends customers search SmartConsole logs for VPN certificate authentication attempts associated with observed attacker infrastructure for at least May 7 through June 5. CISOs should also question whether legacy protocol support remains worth the operational risk on any internet-facing appliance.

For deeper context, see our Aerospace analysis: "Aerospace Employers Pivot to AI Upskilling as Airbus, Boeing, Lockheed Unveil New Training Drives".

For Investors

Edge appliance vendors face a structural narrative problem. Each new zero-day strengthens the platform pitch from ServiceNow, Palo Alto Networks, and Zscaler. ServiceNow CEO Bill McDermott said the early close of the Armis acquisition meaningfully expands its TAM and accelerates subscription revenue growth. Expect multiple expansion for consolidators and pressure on standalone perimeter brands.

For deeper context, see our related analysis: "Cisco Boosts Security Appliance Production as CISA and EU Tighten Supply Chains".

Forward Outlook

Check Point released hotfixes alongside the disclosure and urged customers to apply them or follow mitigation guidance. Both flaws are addressed in the hotfixes Check Point released alongside the disclosure, and the Qilin ransomware group, also known as Agenda, has been one of the more active financially motivated threat actors in 2026. Watch for CISA to add CVE-2026-50751 to its Known Exploited Vulnerabilities catalog in the coming days, mirroring its recent addition of a SolarWinds Serv-U flaw, CVE-2026-28318, citing evidence of active exploitation. Earnings season will test whether platform consolidators can translate edge appliance anxiety into multi-product wins.

Related: Herd Security $3M Round 2026: Aspiron Backs AI Cybersecurity Training

FAQ

For deeper context, see our related analysis: "Top 10 Best Cyber Security Conferences in 2026".

Sources include company disclosures, regulatory filings, analyst reports, and industry briefings.

Related Coverage

• More Cyber Security Analysis
• Latest Technology News