CISA has added CVE-2026-50751, a critical authentication-bypass flaw in Check Point Security Gateway's deprecated IKEv1 VPN protocol, to its Known Exploited Vulnerabilities catalog with a June 11, 2026 remediation deadline.
What Is It
CVE-2026-50751 is an improper authentication vulnerability (CWE-287) in Check Point Security Gateway. According to NVD, a logic-flow weakness in Remote Access and Mobile Access certificate validation within the deprecated IKEv1 key exchange allows an unauthenticated remote attacker to bypass user authentication and establish a remote access VPN connection without a valid user password. The flaw carries a CVSS 3.1 base score of 9.3 (CRITICAL), with the vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N, network-reachable, low complexity, and requiring no privileges or user interaction.
Why It Matters
A VPN gateway is a perimeter trust boundary. This vulnerability lets a remote, unauthenticated attacker step past that boundary entirely, no stolen password required, and stand up a VPN session into the protected network. The CVSS scope is "Changed," reflecting that a successful exploit reaches beyond the gateway itself. CISA added the CVE to its KEV catalog on June 8, 2026. KEV inclusion signals exploitation risk severe enough to mandate federal action; however, the KEV entry lists known ransomware campaign use as "Unknown," and NVD records the vulnerability as "Awaiting Analysis."
What's Vulnerable
The affected product is Check Point Security Gateway, specifically its Remote Access and Mobile Access functionality using the deprecated IKEv1 key exchange protocol. The supplied NVD record lists no specific affected CPE versions; refer to the vendor advisory (sk185033) for affected configurations and version details.
Patch Status
Check Point has released a hotfix for the deprecated IKEv1 VPN protocol vulnerabilities, per its security blog and support article sk185033. CISA's required action: apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. The KEV due date is June 11, 2026.