Authentication Bypass in Remote Access VPN
Check Point Research has uncovered active exploitation of a critical vulnerability in Check Point Remote Access VPN and Mobile Access products. The flaw allows an unauthenticated attacker to bypass authentication entirely by exploiting a logic error in certificate validation within the deprecated IKEv1 key exchange protocol. Organizations using IKEv1 configurations are at immediate risk, as an attacker can establish a VPN session without a valid password.
The vulnerability affects a wide range of Check Point products, including Remote Access VPN, Mobile Access SSL VPN, and Spark Firewall appliances, spanning versions from R80.20.X through R82.10. While initial access is gained through the bypass, additional steps are required to access internal resources or escalate privileges within the network.
Ongoing Exploitation and Ransomware Activity
Check Point researchers began investigating suspicious activity on June 4, 2026, tracing exploitation attempts back to May 7, 2026. Attack volumes escalated sharply in early June, targeting several dozen organizations worldwide. The activity is linked with medium confidence to the Qilin ransomware gang, which has deployed Linux ransomware binaries and attempted to download malicious ELF files from actor controlled infrastructure.
The attackers are using the Tox protocol for command and control communication, a pattern common among ransomware operators. Infrastructure behind the campaign was hosted on Kaupo Cloud HK, Shock Hosting, and Vultr Holdings, with virtual private server locations correlating to victim geography in some cases. The same threat actor is believed to be simultaneously exploiting similar VPN vulnerabilities disclosed by Palo Alto, Fortinet, and F5.
Related Certificate Validation Flaw
During the investigation, Check Point’s agentic AI code security platform BLAST identified a second, related vulnerability in certificate validation within the same deprecated IKEv1 protocol. This flaw could enable man in the middle interference on site to site VPN communications under specific conditions. While not yet observed in active exploitation, organizations are strongly urged to apply updates proactively. Incident response teams should prioritize forensic log audits and configuration reviews beginning from May 7, 2026.
Source: Cyber Security News
