HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-50752Published Modified CNA checkpoint

CVE-2026-50752: Certificate Validation Bypass in VPN Site-to-Site Connections Using IKEv1

A weakness in the certificate validation logic of the deprecated IKEv1 key exchange may allow an unauthenticated attacker positioned as a man-in-the-middle to bypass certificate validation in VPN site-to-site connections that use certificate-based authentication. Successful exploitation could allow interception or modification of traffic traversing the VPN tunnel.

Metrics

CVSS v3.1
7.4
Severity
HIGH
Fixed in
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A certificate validation bypass affects the IKEv1 key exchange implementation in Check Point Quantum Security Gateway and Spark Firewall products. An unauthenticated attacker with a man-in-the-middle position on the network path can bypass certificate-based authentication for VPN site-to-site connections, exploiting a flaw that only requires high attack complexity due to the positional requirement. Successful exploitation allows the attacker to intercept or modify traffic that was expected to be protected inside the VPN tunnel. No fix versions have been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-50752 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that package affected Check Point components. Coverage extends to all registry types and CI pipeline stages where affected product versions may be present.

Available
Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 severity of 7.4 (HIGH) and weighting it against each customer environment's compliance policy to determine urgency. Triage routing to the appropriate team inbox within each customer org is available as soon as the match is confirmed.

Available
Patch

Because no upstream fix versions have been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Check Point publishes a fix. In the interim, compensating controls such as network-policy isolation of IKEv1-enabled interfaces and enforcement of IKEv2-only policies can be surfaced as advisory findings within the platform.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be positioned on the network path between the two VPN peers to intercept and manipulate IKEv1 key exchange traffic over the network.

  • AuthenticationNot required

    No credentials or account are needed; the attacker exploits the validation flaw before any authenticated session is established.

  • Victim interactionNot required

    No action by a user or administrator is required; exploitation targets the automated IKEv1 handshake between gateway peers.

  • Attack complexityDetail

    Attack complexity is rated High because the attacker must successfully achieve a man-in-the-middle position on the network path between the two VPN endpoints, which depends on environmental factors beyond the attacker's direct control.

Blast Radius

  • Reads plaintext contents of traffic that was expected to be encrypted inside the VPN tunnel, including credentials, session data, and application payloads transiting the site-to-site connection.
  • Modifies in-transit data between VPN sites without either endpoint detecting the tampering, enabling injection of malicious payloads into otherwise trusted internal traffic.
  • Undermines the trust model of certificate-based peer authentication, allowing an adversary to impersonate a legitimate VPN peer gateway to one or both sides of the connection.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively monitored against customer images containing affected Check Point Quantum Security Gateway and Spark Firewall versions across all connected registries and pipelines. Because no upstream fix has been published, HarborGuard re-evaluates the advisory on every ingest cycle. When Check Point releases a patched version, a rebuilt image at that fix version becomes available immediately, and customers with auto-remediation enabled will receive a rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention. While no patch is available, customers can use HarborGuard findings to inform compensating controls: restricting IKEv1 to only connections that strictly require it via firewall policy, enforcing IKEv2-only profiles where the peer supports it, and applying network-level isolation to segment IKEv1-enabled gateway interfaces from broader internal traffic. These recommendations surface as advisory findings within the platform for teams to act on directly.

See how HarborGuard automates this
Affected packages
  • checkpoint / Quantum Security Gateway
    R82.10 with Jumbo Hotfix Take 19 or below · R82 with Jumbo Hotfix Take 103 or below · R81.20 with Jumbo Hotfix Take 141 or below · R81.10, R81, and R80.40
  • checkpoint / Spark Firewalls
    R80.20.X, R81.10.X, and R82.00.X
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
References