Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
A weakness in the certificate validation logic of the deprecated IKEv1 key exchange may allow an unauthenticated attacker positioned as a man-in-the-middle to bypass certificate validation in VPN site-to-site connections that use certificate-based authentication. Successful exploitation could allow interception or modification of traffic traversing the VPN tunnel.
AnalysisAI
Certificate validation bypass in Check Point Quantum Security Gateway and Spark Firewalls allows network-positioned attackers to subvert IKEv1 certificate-based authentication in site-to-site VPN tunnels. A man-in-the-middle adversary can intercept or modify traffic traversing the tunnel without possessing valid credentials. No public exploit identified at time of analysis, and the issue is constrained to the deprecated IKEv1 protocol path.
Technical ContextAI
The flaw resides in the IKEv1 (Internet Key Exchange version 1) implementation used by Check Point's Quantum Security Gateway and Spark Firewall product lines (per CPE strings cpe:2.3:a:checkpoint:quantum_security_gateway and cpe:2.3:a:checkpoint:spark_firewalls). CWE-295 (Improper Certificate Validation) indicates the gateway fails to correctly verify one or more attributes of the peer certificate during the IKEv1 main/aggressive mode exchange - for example, missing chain-of-trust checks, weak signature verification, or accepting certificates outside the configured trust anchor. Because IKEv1 establishes IPsec Security Associations used for site-to-site VPNs, breaking certificate validation effectively breaks peer authenticity, enabling an active MitM to negotiate keys with both endpoints independently.
RemediationAI
Apply the fix described in Check Point support article sk185035 (https://support.checkpoint.com/results/sk/sk185035); the exact fixed Quantum/Spark build version is not enumerated in the provided data and should be retrieved from that advisory - patch status here is 'Patch available per vendor advisory.' As a primary compensating control, migrate site-to-site tunnels from the deprecated IKEv1 to IKEv2, which is unaffected by this validation path; the trade-off is that both VPN endpoints must support and be reconfigured for IKEv2, which may require coordination with third-party peers. If IKEv1 must remain temporarily, switch certificate-based authentication to pre-shared key (PSK) on affected tunnels (trade-off: weaker key-management hygiene and harder rotation), restrict the set of trusted CAs presented to IKE to the smallest possible internal CA, and route VPN endpoints over trusted underlay where MitM positioning is harder (private circuits, MPLS) rather than the public Internet.
Same weakness CWE-295 – Improper Certificate Validation
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35046
GHSA-89xv-5cj4-39m4