ZeroPath at Black Hat USA 2026

Quick Look: CVE-2026-50752 — Check Point IKEv1 Certificate Validation Bypass in Site-to-Site VPNs

A brief summary of CVE-2026-50752, a high severity certificate validation bypass in Check Point's deprecated IKEv1 implementation that could allow man-in-the-middle attackers to intercept or modify VPN site-to-site traffic. Includes patch information and threat intelligence context around the related Qilin ransomware campaign.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-08

Quick Look: CVE-2026-50752 — Check Point IKEv1 Certificate Validation Bypass in Site-to-Site VPNs
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A flaw in Check Point's deprecated IKEv1 key exchange implementation allows an unauthenticated attacker, positioned as a man in the middle, to bypass certificate validation on VPN site-to-site connections and potentially intercept or modify all traffic traversing the tunnel. What makes this vulnerability particularly noteworthy is its context: it was discovered proactively by Check Point's BLAST AI platform during the investigation of CVE-2026-50751, a critical (CVSS 9.3) authentication bypass that the Qilin ransomware operation is already exploiting in the wild against Check Point Remote Access VPNs.

CVE-2026-50752 carries a CVSS score of 7.4 and is classified under CWE-295 (Improper Certificate Validation). While the man in the middle requirement constrains its exploitability compared to its companion CVE, the vulnerability affects every Check Point Security Gateway version from R80.20.X through R82.10, spanning both supported and end of life releases. For organizations still running IKEv1 on their site-to-site VPN connections with certificate based authentication, this is a material risk that warrants immediate attention.

Technical Information

Root Cause: Improper Certificate Validation in IKEv1

The vulnerability resides in the certificate validation logic within Check Point's IKEv1 implementation. CWE-295 describes software that "fails to validate, or incorrectly validates, a certificate," and in this case the flaw allows an attacker to bypass the certificate checks that are supposed to authenticate the remote VPN peer during IKEv1 Phase 1 negotiation. The MITM attack vector also aligns with CWE-297 (Improper Validation of Certificate with Host Mismatch), as the peer identity is not properly bound to the validated certificate.

Why IKEv1's Architecture Amplifies This Class of Flaw

IKEv1's design creates a fundamentally larger attack surface for certificate validation errors than its successor. The protocol operates in two phases, with Phase 1 offering a choice between Main Mode (six messages) and Aggressive Mode (three messages) to establish the IKE Security Association. This multi-mode complexity means multiple distinct code paths must each correctly implement certificate validation.

Aggressive Mode compounds the problem by transmitting the user identity without encryption, which reduces security when speed is prioritized over protection. IKEv1 also lacks built in DoS resistance (no stateless cookie exchanges), does not mandate Perfect Forward Secrecy, and has no native NAT traversal support.

By contrast, IKEv2 consolidates the exchange into four messages (IKE_SA_INIT and IKE_AUTH), provides inherent identity protection, mandates PFS, and includes stateless cookie exchanges for DoS resistance. This dramatically reduces the surface area where certificate validation errors can occur.

PropertyIKEv1IKEv2
Phase 1 Messages (Main Mode)64 total (IKE_SA_INIT + IKE_AUTH)
Identity ProtectionNo (Aggressive Mode exposes identity)Yes (built in)
Certificate Validation Attack SurfaceLarge (multiple modes, complex state machine)Smaller (single standardized exchange)
DoS ResistanceNo built in stateless cookiesYes (stateless cookie exchanges)
PFS MandateOptionalMandated
NAT TraversalRequires extra configurationBuilt in
Industry StatusDeprecatedCurrent standard

The IKEv1 protocol has been the source of vulnerabilities across the entire industry, not just Check Point. CVE-2018-5389 identified a protocol level vulnerability in IKEv1 itself affecting multiple vendors. Zyxel and F5 have both published security advisories for IKEv1 related flaws in their own products.

Attack Flow

Exploitation of CVE-2026-50752 requires three preconditions to be met simultaneously:

  1. The target VPN uses IKEv1 for site-to-site connections. If the VPN community is configured to use IKEv2, the vulnerable code path is not exercised.

  2. Certificate based authentication is configured. VPN connections using pre-shared keys are not affected by this specific flaw.

  3. The attacker achieves a man in the middle position on the network path between the two VPN gateway endpoints.

When all three conditions are satisfied, the attacker exploits the weakness in the certificate validation logic during the IKEv1 Phase 1 exchange. Because the validation is improperly implemented, the attacker can present a certificate that should be rejected but is instead accepted by the vulnerable gateway. This allows the attacker to establish themselves as an intermediary in the VPN tunnel, with the ability to intercept, read, and modify traffic flowing between the two legitimate sites.

MITRE's CWE-295 documentation notes that man in the middle attack tools are "highly cost effective" for detecting and exploiting this weakness class, with an effectiveness rating of "High."

Relationship to CVE-2026-50751

Both CVE-2026-50752 and CVE-2026-50751 share the same root cause area: the IKEv1 certificate validation codebase. However, they differ significantly in attack vector and severity:

AttributeCVE-2026-50752CVE-2026-50751
CVSS Score7.4 (High)9.3 (Critical)
Attack VectorMITM on site-to-site VPNNetwork based auth bypass on Remote Access VPN
Authentication BypassCertificate validation bypassFull authentication bypass (no password needed)
Active ExploitationNoYes (Qilin ransomware)
Affected ProductsSecurity Gateways, Spark FirewallMobile Access/SSL VPN, Remote Access VPN, Spark Firewall
CWECWE-295CWE-295
Discovery MethodBLAST AI platform (proactive)Active exploitation detected by Check Point Research

CVE-2026-50752 was found when Check Point Research used their BLAST agentic AI code security platform to conduct an extended review of VPN components during the CVE-2026-50751 investigation. This is a meaningful distinction: the patch addresses a latent flaw uncovered through automated code analysis, not through incident response to active attacks.

Patch Information

Check Point has released hotfixes to remediate CVE-2026-50752, published alongside CVE-2026-50751 on June 8, 2026. The fix corrects the certificate validation logic within the IKEv1 code path and is delivered through Check Point's standard Jumbo Hotfix Accumulator (JHF) mechanism and firmware builds.

The following minimum patched versions apply:

ProductVersionFixed In
Security GatewayR81.20Jumbo Hotfix Take 113 or later
Security GatewayR82Jumbo Hotfix Take 91 or later
Security GatewayR82.10Jumbo Hotfix Take 6 or later
Spark FirewallR81.10.XBuild 996004892 (R81.10.17)
Spark FirewallR82.00.XBuild 998002110 (R82.00.10)

Older versions, specifically R80.20.X, R80.40, R81, and R81.10 for Security Gateways, are listed as End of Support (EOS). No hotfix will be made available for those releases. Organizations still running EOS firmware must upgrade to a supported version to receive the fix.

For organizations that cannot immediately apply the hotfix, Check Point recommends an alternative mitigation: configure all VPN communities to exclusively use IKEv2. This removes the vulnerable IKEv1 code path from the connection negotiation entirely, eliminating exposure without requiring a hotfix installation. Applying the hotfix remains the recommended long-term remediation.

All hotfixes are available for download through the Check Point Support Center (CPUSE/Gaia Portal). Full remediation guidance is provided in Check Point's support article sk185035, which includes step by step upgrade guidance for each affected product line.

Affected Systems and Versions

The vulnerability affects Check Point Security Gateways and Spark Firewalls across the following versions:

Security Gateways (with IKEv1 site-to-site VPN using certificate based authentication):

  • R80.20.X (End of Support)
  • R80.40 (End of Support)
  • R81 (End of Support)
  • R81.10 (End of Support)
  • R81.10.X
  • R81.20
  • R82
  • R82.00.X
  • R82.10

Spark Firewalls:

  • R81.10.X
  • R82.00.X

Vulnerable Configuration Requirements:

  • IKEv1 must be enabled for site-to-site VPN connections
  • Certificate based authentication must be configured (pre-shared key configurations are not affected by this specific flaw)

The breadth of affected versions is notable. The vulnerability spans the entire support lifecycle from R80.20.X through R82.10, meaning a significant portion of deployed Check Point gateways may be vulnerable. Organizations running end of life versions face heightened risk, as those releases will not receive hotfixes.

Vendor Security History

Check Point maintains a dedicated security advisories page for vulnerability disclosure. The company's handling of CVE-2026-50752 demonstrates both strengths and areas of concern.

On the positive side, CVE-2026-50752 was proactively discovered using their BLAST AI platform during an investigation into active exploitation of CVE-2026-50751. This shows meaningful investment in advanced vulnerability research capabilities. Check Point's response was also relatively transparent: they published a detailed blog advisory with exploitation status, affected versions, CVSS scores, threat actor attribution (Qilin ransomware, assessed with medium confidence), and infrastructure details including VPS hosting providers and communication methods.

On the concerning side, the affected IKEv1 certificate validation logic has persisted across many major releases, from R80.20.X through R82.10. This pattern of legacy code carrying forward is not unique to Check Point, but it is significant given the industry's longstanding deprecation of IKEv1.

Previous VPN related vulnerabilities in Check Point products include:

  • CVE-2024-24919: Affected Check Point SSL VPN, allowing an attacker to access all files on a vulnerable Security Gateway. This vulnerability was analyzed from an incident response perspective and demonstrated real world impact on organizations.
  • CVE-2026-48132: A separate issue where the VPN service may restart when NAT-T is used with IKEv1, further highlighting technical debt in the IKEv1 implementation.

The Qilin ransomware group's exploitation of CVE-2026-50751 follows a pattern: the same actor is known to target VPN vulnerabilities from Palo Alto Networks, Fortinet, and F5, and their tactics match those seen in prior Check Point attacks including the exploitation of CVE-2024-24919.

Despite these vulnerabilities, Check Point ranked #1 in Miercom's 2026 Hybrid Mesh Network Security Benchmark with 99.8% security effectiveness, and achieved a 99.9% malware block rate in the 2025 firewall benchmark. This tension between strong product security effectiveness and persistent legacy code vulnerabilities is a pattern seen across the industry, where even leading vendors carry technical debt in deprecated protocol implementations.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization