HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-50751Published Modified CNA checkpoint

CVE-2026-50751: User Authentication Bypass in VPN Remote Access and Mobile Access

A logic flow weakness in Remote Access and Mobile Access certificate validation in deprecated IKEv1 key exchange allows an unauthenticated remote attacker to bypass user authentication and establish a remote access VPN connection without a valid user password.

Metrics

CVSS v3.1
9.3
Severity
CRITICAL
Fixed in
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability affects Check Point Quantum Security Gateway and Spark Firewalls running affected firmware versions. A remote attacker with no credentials can exploit a logic flaw in certificate validation during deprecated IKEv1 key exchange to skip password authentication entirely and establish a fully authenticated remote access VPN session. Successful exploitation gives the attacker a valid VPN tunnel into protected network segments without supplying any user password. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Check Point publishes a fix.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle affected Check Point components or related tooling. Any image whose manifest or package metadata references a vulnerable product version is flagged automatically.

Available
Triage

HarborGuard surfaces this finding at CVSS 9.3 Critical and weights it further against each customer organization's per-environment compliance policies, such as internet-exposed VPN gateway requirements or zero-trust network mandates. Findings are routed to the inbox configured for network-access and authentication issues within each customer org.

Available
Patch

No fix version has been published by Check Point for this CVE. HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will follow without manual intervention once a fix version exists.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the VPN gateway's IKEv1 endpoint over the network; the service is typically internet-exposed, making remote exploitation straightforward.

  • AuthenticationNot required

    No credentials are needed; the vulnerability itself allows the attacker to bypass password authentication entirely.

  • Victim interactionNot required

    No user action or social engineering is needed; the attacker initiates the IKEv1 handshake directly.

  • Attack complexityDetail

    Exploit complexity is low: no race conditions, memory layout dependencies, or special environmental factors are required to trigger the bypass reliably.

Blast Radius

  • Attacker establishes a fully authenticated VPN tunnel into protected network segments without possessing a valid user password.
  • Attacker gains read access to internal network resources, hosts, and services reachable from the VPN address pool, including potentially sensitive internal data.
  • Attacker can make limited modifications to network-accessible resources from within the trusted VPN context, consistent with a low-integrity CVSS rating.
  • Scope is changed (CVSS S:C): the attacker escapes the VPN authentication boundary and reaches systems in network segments that should be isolated from untrusted traffic.

How HarborGuard Handles This

Available on HarborGuard: detection against this CVE is active for all customer environments, flagging any image or workload referencing an affected Check Point Quantum Security Gateway or Spark Firewall version at Critical severity. Because no upstream fix exists yet, HarborGuard monitors the Check Point advisory on every ingest cycle. In the interim, compensating controls worth considering include isolating affected gateways behind network policy rules that restrict IKEv1 traffic, disabling deprecated IKEv1 key exchange in gateway configuration where IKEv2-only mode is operationally feasible, and applying egress filtering to limit lateral movement from the VPN address pool. When Check Point publishes a patched version, a rebuilt image at that fix version will become available on HarborGuard immediately. For customers with auto-remediation enabled, that will trigger a rebuild, an automated regression run, and a PR opened against affected workloads, with median time from fix publication to merged patch PR around 90 minutes for Critical-severity issues in those environments.

See how HarborGuard automates this
Affected packages
  • checkpoint / Quantum Security Gateway
    R82.10 with Jumbo Hotfix Take 19 or below · R82 with Jumbo Hotfix Take 103 or below · R81.20 with Jumbo Hotfix Take 141 or below · R81.10, R81, and R80.40
  • checkpoint / Spark Firewalls
    R80.20.X, R81.10.X, and R82.00.X
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
References