CISA Orders Feds to Patch Check Point VPN Zero-Day by June 11

CISA has ordered U.S. government agencies to secure their Check Point Remote Access VPN and Mobile Access deployments against a critical vulnerability exploited in zero-day attacks by Qilin ransomware affiliates.

CISA adds CVE-2026-50751 to its Known Exploited Vulnerabilities catalog. The agency directed Federal Civilian Executive Branch agencies to apply fixes by June 11 under Binding Operational Directive 22-01. This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

CISA also urged all security teams in the private sector to deploy patches for CVE-2026-50751 and secure their organizations' networks as soon as possible. The directive applies only to federal agencies but the warning extends broadly.

Check Point discloses the flaw as actively exploited since May 7. The Israeli cybersecurity company released security updates on Monday for CVE-2026-50751. It flagged the vulnerability as exploited in attacks that began on May 7 and surged over the weekend.

Unauthenticated remote attackers can exploit the flaw to bypass authentication and establish a remote access VPN connection on targeted Mobile Access/SSL VPNs, Remote Access VPNs, or Spark firewalls. The vulnerability affects only instances configured to use the deprecated IKEv1 key exchange protocol, with security gateways that do not require a machine certificate for connections and accept legacy Remote Access clients.

Exploitation linked to Qilin ransomware with limited global impact so far. Although these attacks have only led to breaches at a few dozen organizations worldwide, Check Point has linked at least one incident to the Qilin Ransomware-as-a-Service operation. Qilin has claimed over 400 victims on its dark web leak site since it surfaced in August 2022.

"To date, the observed exploitation has been limited to a few dozen targeted organizations globally. One case involved confirmed post-compromise activity associated with Qilin ransomware affiliate," the company said. Customers using IKEv1 key exchange protocol are strongly encouraged to apply the available security updates immediately.

Workarounds provided for systems that cannot be patched immediately. Check Point shared mitigation measures including removing support for the legacy remote access client, configuring global properties for Remote Access VPN Authentication to IKEv2 only, enabling IPS and downloading the signatures, and configuring Machine Certificate Authentication as mandatory. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Check Point VPN flaws previously targeted by ransomware groups. Two years ago, CISA tagged another vulnerability in Check Point's Quantum Security Gateways as actively exploited by ransomware gangs. That earlier flaw was linked to NailaoLocker ransomware attacks.