Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

[KEV] CVE-2026-50751 -- CVSS 0.0 Vulnerability Briefing

[KEV] CVE-2026-50751 | CVSS 0.0 (Low) | Exploit: Commoditized

What Is It

CVE-2026-50751 is an improper authentication vulnerability in the IKEv1 key exchange component of Check Point Security Gateway that allows unauthenticated remote attackers to bypass user authentication and establish unauthorized remote access VPN connections.

Technical Detail

The flaw resides in how Check Point Security Gateway handles IKEv1 key exchange negotiations, where the authentication logic can be bypassed without supplying a valid user password. An unauthenticated remote attacker can initiate an IKEv1 exchange and complete the VPN tunnel establishment process as if they were a legitimate authenticated user. Successful exploitation grants the attacker a fully established remote access VPN session, providing network-level access to resources behind the gateway as though they were an authorized user.

Exploitation Status

CISA has confirmed active exploitation in the wild, adding this vulnerability to the Known Exploited Vulnerabilities catalog on June 8, 2026. The exploit maturity is rated Commoditized, meaning reliable exploit code is broadly available and does not require specialized skill or access to weaponize. At this maturity level, exploitation is not limited to sophisticated actors and should be treated as a routine threat across all exposed deployments.

Who Is Targeting This

Confirmed (ATTAX-verified): APT5 (China, nation-state motivation), Leviathan (China, nation-state motivation), Deep Panda (China, nation-state motivation), Fox Kitten (Iran, nation-state motivation), and OilRig (Iran, nation-state motivation), all with high confidence. The concentration of Chinese and Iranian nation-state actors targeting this vulnerability is consistent with known interest in VPN infrastructure as an initial access vector for espionage and network intrusion operations. No additional reported or research-inferred actors are noted at this time beyond confirmed attribution.

What To Do

Apply the vendor-supplied patch from Check Point immediately. CISA's Known Exploited Vulnerabilities catalog listing carries binding directive obligations for federal agencies requiring remediation by the date specified in BOD 22-01 guidance, which given the June 8, 2026 KEV addition date means federal agencies should treat this as an urgent priority with no grace period given active exploitation. Organizations should audit VPN authentication logs for anomalous IKEv1 session establishments, particularly connections that lack corresponding valid credential events. If patching cannot be applied immediately, consider disabling IKEv1 in favor of IKEv2 where operationally feasible, and restrict VPN gateway exposure to known IP ranges at the perimeter. Indicators of compromise should be reviewed against known APT5, OilRig, Fox Kitten, Leviathan, and Deep Panda infrastructure given confirmed actor involvement.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →