NCSC-2026-0179 [1.01] [H/H] Vulnerabilities fixed in Check Point Remote and Mobile Access VPN products
Actively exploited. At least one CVE in this advisory is listed in the CISA Known Exploited Vulnerabilities catalog — exploitation has been observed in the wild. Treat remediation as urgent.
Check Point has fixed vulnerabilities in Remote and Mobile Access VPN products, specifically for implementations using the IKEv1 key exchange protocol. Two vulnerabilities have been identified in Check Point Security Gateways and Remote Access VPN environments using the outdated IKEv1 protocol. The vulnerabilities CVE-2026-50751 and CVE-2026-50752 affect VPN authentication and certificate validation. These vulnerabilities allow attackers to gain access to VPN environments without valid authentication. The vulnerability CVE-2026-50751 has been exploited as a zero-day. According to Check Point, ransomware was also deployed in one case following this exploitation. The first detected exploitation dates back to May 7. The IKEv1 protocol is an outdated protocol still used in such implementations. The NCSC-NL expects large-scale exploitation to occur in the near term and urges organizations to follow Check Point's advisory. The NCSC-NL also calls on organizations to check Check Point's IoCs if relevant products using IKEv1 are in use within the organization. UPDATE: Publicly available Proof-of-Concept (PoC) code is now available, increasing the likelihood of exploitation. IOCs 45.77.149[.]152 209.182.225[.]136 38.60.157[.]139 162.33.177[.]101 45.76.26[.]42 144.208.127[.]155 38.54.88[.]201 38.54.107[.]167 66.42.99[.]200 52fda5c1b9704544f32ee98d9060e689 51d39aa39478beeac94f2d12f682ecce
CSIRTS triage
- What
- Vulnerabilities in IKEv1 protocol allow attackers to access VPN environments without valid authentication.
- Who is affected
- Users of Check Point Remote and Mobile Access VPN products using IKEv1.
- Urgency
- Remediation is critical due to confirmed exploitation and the potential for large-scale attacks.
- Action
- Transition to a more secure key exchange protocol and apply updates from Check Point.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch Remote and Mobile Access VPN products
Get an email when a new Remote and Mobile Access VPN products advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://advisories.ncsc.nl/advisory?id=NCSC-2026-0179
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Exploitation confirmedCVE-2026-50751Already exploited in the wild (CISA KEV) — the prediction phase is over. Patch now. Riskier than 99% of all scored CVEs.
- Exploitation confirmedCVE-2026-50752Already exploited in the wild (CISA KEV) — the prediction phase is over. Patch now. Riskier than 91% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-50751 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-50752 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
- criticalexploitedCVE-2026-50751: Check Point Security Gateway Improper Authentication Vulnerabilitycisa-kev
More from NCSC-NL Advisories
- unknownNCSC-2026-0223 [1.00] [M/H] Vulnerabilities fixed in BeyondTrust Remote Support and Privileged Remote Access2026-07-10
- unknownNCSC-2026-0222 [1.00] [M/H] Vulnerabilities fixed in GitLab Enterprise Edition and Community Edition2026-07-10
- unknownNCSC-2026-0221 [1.00] [M/H] Vulnerabilities fixed in UniFi products from Ubiquiti Networks2026-07-07
- unknownNCSC-2026-0220 [1.00] [M/H] Vulnerabilities fixed in Rancher by Rancher Labs2026-07-03
- unknownNCSC-2026-0219 [1.00] [M/H] Vulnerabilities fixed in GitHub Enterprise Server2026-07-03