Inferlume

How it Works
Pricing
About
Get Free Access →

Get Free Access

Last Updated On

DDAAIILLYY--22002266--00661100
CCrriittiiccaall
AAccttiivvee  EExxppllooiittaattiioonn  CCoonnffiirrmmeedd

Enterprise Perimeters Fractured by Check Point VPN Zero-Day and Record-Breaking Patch Tuesday Volume

The threat landscape is currently dominated by the active exploitation of a critical Check Point VPN authentication bypass vulnerability by Qilin ransomware affiliates. Concurrently, Microsoft has released a historic patch update addressing an actively exploited Defender privilege escalation flaw and a wormable Windows Kernel remote code execution vulnerability. Furthermore, critical patching is urgently required for Veeam Backup servers and Ivanti Sentry gateways to prevent high impact system compromises and ransomware staging. Security teams must act swiftly to secure perimeter access and endpoint controls ahead of a publicly threatened Secure Boot exploit release scheduled for June 14.

10

CVSS Score

0

IOC Count

7

Source Count

82

Confidence Score

CVEs

CVE-2026-50751, CVE-2026-50752, CVE-2026-44963, CVE-2026-10520, CVE-2026-10523, CVE-2026-41091, CVE-2026-45657, CVE-2026-47291, CVE-2026-44815, CVE-2026-45585, CVE-2026-50507, CVE-2026-49160, CVE-2026-45586, CVE-2026-33825, CVE-2026-45498, CVE-2026-48567, CVE-2026-26142, CVE-2026-42985

Actors

Qilin Ransomware Affiliates, Unspecified Financially Motivated Actors

Sectors

Enterprise, Government, Critical Infrastructure, Healthcare, Cloud Services

Regions

Global, United States

Chapter 01 - Executive Overview

  • A critical authentication bypass zero day in Check Point VPN and firewall products CVE-2026-50751 has been exploited in the wild since early May. The flaw exists in the deprecated IKEv1 key exchange protocol allowing unauthenticated remote attackers to establish full VPN sessions without valid credentials.

  • Qilin ransomware affiliates are actively exploiting this vulnerability for initial access utilizing a double extortion posture that includes backup deletion and data exfiltration prior to encryption.

  • Microsoft has released its largest patch update in history addressing 208 vulnerabilities. This includes an actively exploited Defender elevation of privilege flaw CVE-2026-41091 and a wormable Windows Kernel remote code execution vulnerability CVE-2026-45657.

  • A credible security researcher has announced a pending zero day exploit release targeting Microsoft Secure Boot and BitLocker mechanisms scheduled for June 14 if negotiations fail.

  • Veeam Backup and Replication environments face a critical remote code execution vulnerability CVE-2026-44963 allowing any authenticated domain user to execute code on domain joined backup servers creating a high impact latent risk.

  • Ivanti has patched two critical vulnerabilities in its Sentry gateways including an operating system command injection CVE-2026-10520 and an authentication bypass CVE-2026-10523 that together enable root level compromise.

Chapter 02 - Threat & Exposure Analysis

  • Check Point CVE-2026-50751 is a logic flaw in the certificate validation process within the IKEv1 key exchange implementation. An attacker presenting a manipulated or absent certificate can complete the handshake and receive a valid VPN session token bypassing the perimeter entirely. The 32 day gap between first observed exploitation and vendor disclosure represents a significant silent exploitation window.

  • Microsoft CVE-2026-45657 resides in the Windows Kernel TCP IP packet processing path allowing an unauthenticated remote attacker to trigger SYSTEM level code execution without user interaction. Exploit development is highly active across the security industry.

  • Microsoft CVE-2026-41091 is an actively exploited Defender privilege escalation vulnerability currently circulating in post exploitation toolkits.

  • Veeam CVE-2026-44963 permits remote code execution on backup servers by any authenticated domain user. Compromised backup services undermine recovery plans and enable stealthy mass encryption.

  • Ivanti CVE-2026-10520 enables remote attackers to execute arbitrary commands with root privileges due to insufficient input sanitization while CVE-2026-10523 allows rogue administrative account creation.

Chapter 03 - Operational Response

  • Identify and immediately patch or mitigate all Check Point gateways using IKEv1 for Remote Access or Mobile Access.

  • Enforce multifactor authentication on all externally facing services and review VPN access logs from early May onward for anomalous session establishments.

  • Prioritize patching the Windows Kernel for CVE-2026-45657 treating it as maximum priority despite any conservative vendor exploitation ratings.

  • Verify Microsoft Defender automatic updates are active and manually update all isolated or air gapped systems.

  • Upgrade affected Veeam installations to at least version 12.3.2.4854 or migrate to version 13.

  • Inventory all Ivanti Sentry deployments and apply the latest updates ensuring administrative interfaces are not directly exposed to the internet.

Date

Event

2026 05 07

First exploitation of CVE-2026-50751 observed via vendor telemetry

2026 06 08

Check Point and Veeam publish public advisories and software patches

2026 06 08

Microsoft releases patch update addressing 208 vulnerabilities

2026 06 09

Federal agencies ordered to remediate Check Point vulnerability within 48 hours

2026 06 09

Ivanti discloses and patches critical Sentry vulnerabilities

2026 06 14

Pending researcher zero day drop deadline for Secure Boot and BitLocker flaws

Chapter 04 - Detection Intelligence

  • The Check Point vulnerability arises from a logic flow weakness during IKEv1 key exchange. The validation process does not enforce binding between certificate content and authenticated identity before granting session establishment.

  • The Windows Kernel TCP IP vulnerability fails to safely handle a specific malformed packet condition enabling a remote attacker to trigger code execution. No authentication and no user interaction are required satisfying wormable conditions.

  • The Veeam vulnerability is network exploitable and does not require user interaction allowing attackers to execute arbitrary code under the context of the Veeam service account on domain joined servers.

  • The Ivanti OS command injection issue stems from insufficient sanitization of inputs passed to underlying operating system commands leading to potential remote root level command execution.

INSUFFICIENT SOURCE DATA

  • Consulted sources focus on vulnerability mechanics and remediation rather than shared infrastructure or specific indicators of compromise.

YAML

title: Check Point VPN Authentication Bypass Attempt CVE-2026-50751
status: experimental
description: Detects VPN session establishments on Check Point appliances where certificate validation indicators are absent or malformed
logsource:
  product: checkpoint
  service: vpn
detection:
  selection:
    EventID: 'VPN_AUTH_SUCCESS'
    auth_method: 'certificate'
  filter_invalid_cert:
    cert_subject: ''
    cert_issuer: ''
  filter_ikev1:
    ike_version: '1'
  timeframe:
    condition: gte 3 within 5m
  condition: selection AND (filter_invalid_cert OR filter_ikev1)
falsepositives:
  - Legacy IKEv1 clients with valid certificates
level: critical
tags:
  - attack.initial_access
  - attack.t1190
  - cve.2026-50751

Splunk SPL

index=checkpoint sourcetype=checkpoint:vpn 
| where ike_version="1" AND (isnull(cert_subject) OR cert_subject="") 
| stats count by src_ip, dst_ip, auth_method, _time 
| where count >= 2 
| eval alert="Possible CVE-2026-50751 Exploitation Certless IKEv1 VPN Auth" 
| table _time, src_ip, dst_ip, auth_method, count, alert

Code snippet

rule Windows_Kernel_RCE_Stager_Generic {
    meta:
        description = "Heuristic kernel mode RCE shellcode indicators June 2026 Patch Tuesday context"
        author = "Inferlume CTI"
        date = "2026-06-10"
        severity = "HIGH"
    strings:
        $nt_alloc = "NtAllocateVirtualMemory" nocase
        $nt_write  = "NtWriteVirtualMemory" nocase
        $nt_create = "NtCreateThreadEx" nocase
        $shellcode_nop = { 90 90 90 90 CC CC CC CC }
        $tcpip_anomaly = "tcpip.sys" nocase
    condition:
        3 of ($nt_alloc, $nt_write, $nt_create) and
        ($shellcode_nop or $tcpip_anomaly)
}

CVE Identifier

Technique ID

Technique Name

Tactic

CVE-2026-50751

T1190

Exploit Public Facing Application

Initial Access

CVE-2026-50751

T1486

Data Encrypted for Impact

Impact

CVE-2026-41091

T1068

Exploitation for Privilege Escalation

Privilege Escalation

CVE-2026-45657

T1210

Exploitation of Remote Services

Lateral Movement

CVE-2026-47291

T1190

Exploit Public Facing Application

Initial Access

CVE-2026-45585

T1542.001

Pre OS Boot System Firmware

Persistence

Chapter 05 - Governance, Risk & Compliance

  • Active exploitation of the Check Point vulnerability imposes an immediate compliance relevant control failure risk for organizations that fail to mitigate perimeter gateways.

  • Regulated sectors face explicit breach notification obligations if internal systems are accessed via the compromised VPN sessions.

  • The sheer volume of vulnerabilities fixed by Microsoft combined with an impending researcher exploit release requires elevated governance oversight to ensure patch compliance targets are met before active targeting begins.

  • Compromise of backup infrastructure via the Veeam vulnerability threatens organizational resilience commitments and operational continuity SLAs.

Chapter 06 - Adversary Emulation

  • Initial Access Emulation Simulate VPN session establishment against an authorized test appliance utilizing crafted IKE Phase 1 packets.

  • Discovery Emulation Execute remote system discovery via ping sweeps originating from the assigned VPN IP pool.

  • Lateral Movement Emulation Initiate internal remote desktop protocol sessions utilizing VPN scoped credentials.

  • Exfiltration Emulation Stage benign data to a temporary directory and simulate large outbound HTTPS data transfers mimicking ransomware payload staging.

Intelligence Confidence82%

Assessment Factor

Evaluation Result

Primary Vendor Corroboration

Strong corroboration across multiple vendor advisories

Exploitation Confirmation

Active exploitation explicitly confirmed by federal catalog inclusion

Threat Actor Attribution

Medium confidence based on single vendor telemetry

Indicator Availability

Insufficient open source technical indicators

Technique Mapping

Comprehensive mapping derived from known threat actor profiles