Vulnerability Overview
Check Point has issued an urgent warning about active exploitation of a critical authentication bypass flaw in its Remote Access VPN and Mobile Access products. The vulnerability specifically targets configurations that still use the outdated IKEv1 key exchange protocol. By exploiting a logic error in the certificate validation process, an unauthenticated attacker can bypass the need for a valid password and establish a VPN session remotely.
The impacted products include several versions of Security Gateways, such as R82.10, R82, and R81.20 with certain hotfix levels, as well as older end-of-life releases R81.10, R81, and R80.40. Certain Spark Firewall models are also affected. Successful exploitation requires specific conditions, including that VPN Remote Access or Mobile Access is enabled, IKEv1 is active for remote access, and the gateway accepts legacy remote access clients without requiring a machine certificate.
Impact and Scope
Check Point first observed suspicious activity on June 4, 2026, but the earliest evidence of exploitation dates back to May 7, 2026. The attacks have intensified in June, though they appear limited to a few dozen targeted organizations worldwide. In at least one case, the post-exploitation phase was linked to a Qilin ransomware affiliate, indicating financially motivated intent.
The threat actor infrastructure appears to be actively targeting other VPN related vulnerabilities from vendors like Palo Alto Networks, Fortinet, and F5. Check Point noted indicators suggesting the attackers may use the Tox protocol for communication, a pattern commonly seen in financially driven ransomware operations. Organizations still relying on IKEv1 for remote access should prioritize patching their systems immediately.
Source: The Hacker News
