What is the CVSS score of CVE-2026-50751?

CVE-2026-50751 has a CVSS 3.1 base score of 9.3 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of Check Point Quantum Gateway are affected by CVE-2026-50751?

Check Point Quantum Security Gateway and Spark Firewalls contain a critical vulnerability allowing unauthenticated remote attackers to bypass VPN authentication and establish remote access sessions…

Is there a public PoC exploit available for CVE-2026-50751?

Yes, a public proof-of-concept exploit is available for CVE-2026-50751. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-50751?

Within 24 hours: Identify all Quantum (R80.40-R82.10) and Spark (R80.20.X-R82.00.X) appliances and verify affected firmware versions; disable IKEv1 protocol if operationally feasible; begin monitoring VPN access logs for anomalies. Within 7 days: Implement IP-based access restrictions on VPN gateways; enforce multi-factor authentication for all VPN sessions; enable enhanced authentication and session logging. Within 30 days: Monitor Check Point security advisories for patch release; evaluate upgrade to unaffected firmware versions or alternative VPN solutions; assess temporary isolation of affected gateways if operational constraints permit.

Check Point Quantum Gateway CVE-2026-50751

EUVD-2026-35047 CRITICAL

Improper Authentication (CWE-287)

2026-06-08 checkpoint

GHSA-jqxh-x9f5-wcgw

Authentication Bypass Microsoft

9.3

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.3 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

ENISA EUVD

CRITICAL

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Added to CISA KEV

Jun 08, 2026 - 19:31 CISA

Analysis Generated

Jun 08, 2026 - 17:25 vuln.today

CVSS changed

Jun 08, 2026 - 17:22 NVD

9.3 (CRITICAL)

CVE Published

Jun 08, 2026 - 11:07 nvd

UNKNOWN (no severity yet)

CVE Published

Jun 08, 2026 - 11:07 nvd

CRITICAL 9.3

DescriptionCVE.org

A logic flow weakness in Remote Access and Mobile Access certificate validation in deprecated IKEv1 key exchange allows an unauthenticated remote attacker to bypass user authentication and establish a remote access VPN connection without a valid user password.

Articles & Coverage 2

labs.watchtowr.com CVE-2026-50751: Check Point VPN IKEv1 Authentication Bypass Exploited by Ransomware Groups Jun 12, 2026 POC CVE-2026-50751: Check Point Remote Access VPN IKEv1 Certificate Authentication Bypass (CVSS 9.3) Jun 10, 2026

AnalysisAI

Authentication bypass in Check Point Quantum Security Gateway and Spark Firewalls allows unauthenticated remote attackers to establish Remote Access and Mobile Access VPN sessions without valid credentials by abusing a logic flaw in deprecated IKEv1 certificate validation. The flaw (CVSS 9.3, CWE-287) was reported by Check Point themselves and publicly available exploit code exists, though EPSS exploitation probability remains very low (0.01%) and the issue is not currently listed in CISA KEV. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify internet-facing Check Point VPN on UDP/500

Delivery

Initiate IKEv1 Phase-1 handshake

Exploit

Trigger logic flaw in certificate validation

Execution

Bypass password authentication step

Persist

Establish Remote Access VPN tunnel

Impact

Pivot to internal network resources

Access

Identify internet-facing Check Point VPN on UDP/500

Delivery

Initiate IKEv1 Phase-1 handshake

Exploit

Trigger logic flaw in certificate validation

Execution

Bypass password authentication step

Persist

Establish Remote Access VPN tunnel

Impact

Pivot to internal network resources

Vulnerability AssessmentAI

Exploitation	The gateway must have the Remote Access VPN or Mobile Access blade enabled with the deprecated IKEv1 key exchange permitted (Check Point gateways that have been configured to negotiate IKEv2 only are not exploitable via this path), and UDP/500 plus UDP/4500 must be reachable from the attacker - typically true for any internet-facing VPN portal. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N indicates a network-reachable, low-complexity, unauthenticated, no-user-interaction attack with scope change and high confidentiality impact - consistent with full VPN access into the protected network. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker on the internet sends an IKEv1 Aggressive or Main Mode handshake to the gateway's UDP/500 endpoint, presents a certificate (or a crafted handshake exercising the flawed validation path), and the gateway transitions to an authenticated VPN session without ever validating the user password. With publicly available exploit code, a low-skilled actor can use this to obtain an interactive tunnel and pivot to internal RDP, SMB, or management interfaces. …
Remediation	Patch available per vendor advisory: install the Check Point hotfix referenced in sk185033 (https://support.checkpoint.com/results/sk/sk185033), which for Quantum Security Gateway means upgrading Jumbo Hotfix Accumulator beyond Take 19 on R82.10, Take 103 on R82, and Take 141 on R81.20, and applying the corresponding hotfix on R81.10, R81, and R80.40; Spark Firewalls on R80.20.X, R81.10.X, and R82.00.X must be moved to the fixed firmware build named in the SK. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Quantum (R80.40-R82.10) and Spark (R80.20.X-R82.00.X) appliances and verify affected firmware versions; disable IKEv1 protocol if operationally feasible; begin monitoring VPN access logs for anomalies. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-50751 vulnerability details – vuln.today

Back

Check Point Quantum Gateway CVE-2026-50751

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

Articles & Coverage 2

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code