Latest Check Point vulnerability: CVE-2026-50751 #
Check Point disclosed that certain versions of their VPN products utilize the deprecated IKE protocol version 1 (IKEv1) that are affected by an authentication logic flow vulnerability. Remote unauthenticated attackers can utilize this vulnerability to bypass the authentication validation without credentials in order to gain access to secure networks. This vulnerability has been designated CVE-2026-50751 and has been rated critical with a CVSS score of 9.3.
The following versions are affected:
- Security Gateways:
- R82.10 Jumbo Hotfix Take 19 or below
- R82 Jumbo Hotfix Take 103 or below
- R81.20 Jumbo Hotfix Take 141 or below
- R81.10 (End-of-Support (EOS))
- R81 (End-of-Support (EOS))
- R80.40 (End-of-Support (EOS))
- Spark Firewalls:
- R80.20.X (End-of-Support (EOS))
- R82.00.X
- R81.10.X
What is Check Point Remote Access and Mobile Access VPN? #
Check Point Remote Access and Mobile Access VPN provide users access to corporate networks over IPSec.
What is the impact? #
Successful exploitation of the vulnerability would allow an attacker to establish an unauthorized VPN connection and gain access to protected networks.
Are updates or workarounds available? #
Users are encouraged upgrade affected systems to the following versions:
Security Gateway, Maestro Orchestrator, and Security Group
- R82.10 Jumbo Hotfix Accumulator Take 19 (Take #3)
- R82.10 Jumbo Hotfix Accumulator Take 6 (Take #2)
- R82 Jumbo Hotfix Accumulator Take 103 (Take #2)
- R82 Jumbo Hotfix Accumulator Take 91 (Take #2)
- R81.20 Jumbo Hotfix Accumulator Take 141 (Take #2)
- R81.20 Jumbo Hotfix Accumulator Take 127 (Take #2)
- R81.20 Jumbo Hotfix Accumulator Take 120 (Take #2)
- R81.20 Jumbo Hotfix Accumulator Take 113 (Take #2)
Spark Firewall Appliances
- R82.00.10 Build 998002216
For End-of-Support products Check Point has provided multiple mitigation options.
How to find potentially vulnerable systems with runZero #
From the Service inventory, use the following query to locate potentially impacted assets:
hw:="Check Point%" AND protocol:ike AND ike.version:="1.0"May 2024: CVE-2024-24919 #
On May 28, 2024, Check Point disclosed a serious vulnerability in Check Point Security Gateway Devices with certain remote access software blades (security modules) enabled. Per their guidance, devices are impacted if one of the following conditions are met:
- The IPsec VPN Blade is enabled, but ONLY when included in the Remote Access VPN community.
- The Mobile Access Software Blade is enabled.
The issue, identified as CVE-2024-24919, allows reading arbitrary files on the targeted appliance by unauthenticated remote attackers. This vulnerability could be leveraged to read sensitive files such as those containing password hashes, certificates, and ssh keys.
This vulnerability has a CVSS score of 8.6 out of 10, indicating that this is a high risk vulnerability. According to their disclosure and information provided by CISA this vulnerability is being actively exploited. A report from mnemonic.io states that they have observed attacks at least as far back as April 30, 2024.
What is the impact? #
Upon successful exploitation of the vulnerability, unauthenticated remote attackers could access password hashes for local users. If the hashes are cracked the attacker may be able to log into these user accounts if secondary controls, such as MFA, are not enforced. This includes service accounts that may be used to access Active Directory or other services. Attackers could leverage this information to move across a target's network.
Are updates or workarounds available? #
Check Point has released a software updates to address this vulnerability. They also provide guidance for other measures that should be taken after the vulnerability has been addressed. These can be found in their advisory.
How do I find potentially vulnerable Check Point devices with runZero? #
From the Asset Inventory, use the following query to locate assets that may be running the vulnerable operating system in your network:
hardware:"Check Point" AND (_service.last.http.body:"Check Point Mobile" OR _service.http.body:"Check Point Mobile" OR udp_port:500)
