A ransomware group called Qilin has been exploiting a critical authentication bypass in Check Point’s VPN and remote access products since May 7, breaching “a few dozen targeted organizations globally” before a patch existed. On Monday, CISA added CVE-2026-50751 to its KEV catalog and ordered all U.S. civilian federal agencies to remediate by end of day June 11 under BOD 22-01, its binding operational directive that authorizes emergency action when active cyber threats target government networks.
CVE-2026-50751 carries a CVSS score of 9.3. It’s an authentication bypass tied to a logic flaw in certificate validation within the deprecated IKEv1 protocol, affecting Check Point’s Mobile Access, Remote Access VPN, and Spark firewalls. An unauthenticated remote attacker can establish a full VPN session without a valid password. Check Point says it first observed suspicious activity on June 4, though Qilin had been exploiting it since May 7.
The agencies in scope include Homeland Security, the Department of State, and the Treasury. None have said whether they’re among the organizations Qilin hit.
Check Point’s gateway products are standard-issue in federal network perimeters, which is why Qilin can move laterally once it has a VPN foothold. Agencies that remediate by June 11 still need to audit network logs from May 7 forward — the directive covers remediation, not investigation. The harder question is how many of the “few dozen targeted organizations” are federal.
Check Point has released hotfixes referenced in support articles SK185033 and SK185035. The binding deadline for civilian agencies is end of day Wednesday.
James Okafor